All
Queries List¶
This page contains all queries.
| Query | Platform | Severity | Category | Description | Help |
|---|---|---|---|---|---|
| Serverless Function Environment Variables Not Encrypted a7f8ac28-eed1-483d-87c8-4c325f022572 |
CloudFormation | High | Encryption | AWS Serverless Function should encrypt environment variables | Documentation |
| Serverless API Without Content Encoding a2f2800e-614b-4bc8-89e6-fec8afd24800 |
CloudFormation | Medium | Encryption | AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 | Documentation |
| Serverless Function Without Unique IAM Role 4ba74f01-aba5-4be2-83bc-be79ff1a3b92 |
CloudFormation | Medium | Insecure Configurations | AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks | Documentation |
| Serverless Function Without Tags a71ecabe-03b6-456a-b3bc-d1a39aa20c98 |
CloudFormation | Medium | Insecure Configurations | AWS Serverless Function should have associated tags | Documentation |
| Serverless API Endpoint Config Not Private 6b5b0313-771b-4319-ad7a-122ee78700ef |
CloudFormation | Medium | Networking and Firewall | AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet | Documentation |
| Serverless API Access Logging Setting Undefined 0a994e04-c6dc-471d-817e-d37451d18a3b |
CloudFormation | Medium | Observability | AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined | Documentation |
| Serverless API X-Ray Tracing Disabled c757c6a3-ac87-4b9d-b28d-e5a5add6a315 |
CloudFormation | Medium | Observability | AWS Serverless API should have X-Ray Tracing enabled | Documentation |
| Serverless API Cache Cluster Disabled 60a05ede-0a68-4d0d-a58f-f538cf55ff79 |
CloudFormation | Low | Insecure Configurations | AWS Serverless API should have cache clustering enabled | Documentation |
| Serverless Function Without Dead Letter Queue cb2f612b-ed42-4ff5-9fb9-255c73d39a18 |
CloudFormation | Low | Insecure Configurations | AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) | Documentation |
| Serverless Function Without X-Ray Tracing dc1ab429-1481-4540-9b1d-280e3f15f1f8 |
CloudFormation | Low | Observability | AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' | Documentation |
| BOM - AWS EFS ef05a925-8568-4054-8ff1-f5ba82631c16 |
CloudFormation | Trace | Bill Of Materials | A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. | Documentation |
| BOM - AWS SNS 42e7dca3-8cce-4325-8df0-108888259136 |
CloudFormation | Trace | Bill Of Materials | A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. | Documentation |
| BOM - AWS EBS 0b0556ea-9cd9-476f-862e-20679dda752b |
CloudFormation | Trace | Bill Of Materials | A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). | Documentation |
| BOM - AWS SQS 59a849c2-1127-4023-85a5-ef906dcd458c |
CloudFormation | Trace | Bill Of Materials | A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. | Documentation |
| BOM - AWS MQ 209189f3-c879-48a7-9703-fbcfa96d0cef |
CloudFormation | Trace | Bill Of Materials | A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. | Documentation |
| BOM - AWS S3 Buckets b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83 |
CloudFormation | Trace | Bill Of Materials | A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. | Documentation |
| BOM - AWS Elasticache c689f51b-9203-43b3-9d8b-caed123f706c |
CloudFormation | Trace | Bill Of Materials | A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. | Documentation |
| BOM - AWS MSK 2730c169-51d7-4ae7-99b5-584379eff1bb |
CloudFormation | Trace | Bill Of Materials | A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. | Documentation |
| SNS Topic is Publicly Accessible ae53ce91-42b5-46bf-a84f-9a13366a4f13 |
CloudFormation | High | Access Control | SNS Topic Policy should not allow any principal to access | Documentation |
| S3 Bucket Allows Get Action From All Principals f97b7d23-568f-4bcc-9ac9-02df0d57fbba |
CloudFormation | High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. | Documentation |
| S3 Bucket ACL Allows Read Or Write to All Users 07dda8de-d90d-469e-9b37-1aca53526ced |
CloudFormation | High | Access Control | S3 Buckets should not be readable and writable to all users | Documentation |
| S3 Bucket Allows Put Action From All Principals f6397a20-4cf1-4540-a997-1d363c25ef58 |
CloudFormation | High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. | Documentation |
| S3 Bucket Allows List Action From All Principals faa8fddf-c0aa-4b2d-84ff-e993e233ebe9 |
CloudFormation | High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. | Documentation |
| S3 Bucket With All Permissions 4ae8af91-5108-42cb-9471-3bdbe596eac9 |
CloudFormation | High | Access Control | S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. | Documentation |
| S3 Bucket Allows Delete Action From All Principals acc78859-765e-4011-a229-a65ea57db252 |
CloudFormation | High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. | Documentation |
| IAM Policy Grants Full Permissions f62aa827-4ade-4dc4-89e4-1433d384a368 |
CloudFormation | High | Access Control | IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. | Documentation |
| S3 Bucket Allows Public Policy 860ba89b-b8de-4e72-af54-d6aee4138a69 |
CloudFormation | High | Access Control | S3 bucket allows public policy | Documentation |
| ECS Service Admin Role Is Present 01986452-bdd8-4aaa-b5df-d6bf61d616ff |
CloudFormation | High | Access Control | ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 835d5497-a526-4aea-a23f-98a9afd1635f |
CloudFormation | High | Access Control | S3 Buckets should not be readable to any authenticated user | Documentation |
| IAM Policies With Full Privileges 953b3cdb-ce13-428a-aa12-318726506661 |
CloudFormation | High | Access Control | IAM policies shouldn't allow full administrative privileges (for all resources) | Documentation |
| S3 Bucket ACL Allows Read to All Users 219f4c95-aa50-44e0-97de-cf71f4641170 |
CloudFormation | High | Access Control | S3 Buckets should not be readable to all users | Documentation |
| S3 Bucket Allows Restore Actions From All Principals 456b00a3-1072-4149-9740-6b8bb60251b0 |
CloudFormation | High | Access Control | S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. | Documentation |
| S3 Bucket Access to Any Principal 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085 |
CloudFormation | High | Access Control | The S3 Bucket should not be associated with a policy statement that grants access to any principal | Documentation |
| Lambda Functions With Full Privileges a0ae0a4e-712b-4115-8112-51b9eeed9d69 |
CloudFormation | High | Access Control | AWS Lambda Functions should not have roles with policies granting full administrative privileges. | Documentation |
| MSK Broker Is Publicly Accessible 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab |
CloudFormation | High | Access Control | Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible | Documentation |
| User Data Shell Script Is Encoded 48c3bc58-6959-4f27-b647-4fedeace23be |
CloudFormation | High | Encryption | User Data Shell Script must be encoded | Documentation |
| ECS Task Definition Container With Plaintext Password f9b10cdb-eaab-4e39-9793-e12b94a582ad |
CloudFormation | High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
| User Data Contains Encoded Private Key 568cc372-ca64-420d-9015-ee347d00d288 |
CloudFormation | High | Encryption | User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily | Documentation |
| MSK Cluster Encryption Disabled a976d63f-af0e-46e8-b714-8c1a9c4bf768 |
CloudFormation | High | Encryption | Ensure MSK Cluster encryption in rest and transit is enabled | Documentation |
| Secure Ciphers Disabled be96849c-3df6-49c2-bc16-778a7be2519c |
CloudFormation | High | Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
| ELB Without Secure Protocol 80908a75-586b-4c61-ab04-490f4f4525b8 |
CloudFormation | High | Encryption | Check if the ELB is setup with SSL or HTTPS for secure communication | Documentation |
| Viewer Protocol Policy Allows HTTP 31733ee2-fef0-4e87-9778-65da22a8ecf1 |
CloudFormation | High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
| RDS Storage Not Encrypted 5beacce3-4020-4a3d-9e1d-a36f953df630 |
CloudFormation | High | Encryption | RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' | Documentation |
| ELB Using Insecure Protocols 61a94903-3cd3-4780-88ec-fc918819b9c8 |
CloudFormation | High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. | Documentation |
| ElastiCache With Disabled at Rest Encryption e4ee3903-9225-4b6a-bdfb-e62dbadef821 |
CloudFormation | High | Encryption | Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled | Documentation |
| RDS DB Instance With IAM Auth Disabled 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184 |
CloudFormation | High | Encryption | IAM Database Auth Enabled should be configured to true when compatible with engine and version | Documentation |
| Redshift Not Encrypted 3b316b05-564c-44a7-9c3f-405bb95e211e |
CloudFormation | High | Encryption | AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) | Documentation |
| Connection Between CloudFront Origin Not Encrypted a5366a50-932f-4085-896b-41402714a388 |
CloudFormation | High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
| Redshift Cluster Without KMS CMK de76a0d6-66d5-45c9-9022-f05545b85c78 |
CloudFormation | High | Encryption | AWS Redshift Cluster should have KMS CMK defined | Documentation |
| S3 Bucket SSE Disabled 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61 |
CloudFormation | High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
| Kinesis SSE Not Configured 7f65be75-90ab-4036-8c2a-410aef7bb650 |
CloudFormation | High | Encryption | AWS Kinesis Stream should have SSE (Server Side Encryption) defined | Documentation |
| EFS Without KMS 6d087495-2a42-4735-abf7-02ef5660a7e6 |
CloudFormation | High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys | Documentation |
| DynamoDB With Aws Owned CMK c8dee387-a2e6-4a73-a942-183c975549ac |
CloudFormation | High | Encryption | AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. | Documentation |
| CMK Unencrypted Storage ffee2785-c347-451e-89f3-11aeb08e5c84 |
CloudFormation | High | Encryption | Ensure that storage is encrypted. | Documentation |
| ELB Using Weak Ciphers 809f77f8-d10e-4842-a84f-3be7b6ff1190 |
CloudFormation | High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. | Documentation |
| S3 Bucket Without Server-side-encryption b2e8752c-3497-4255-98d2-e4ae5b46bbf5 |
CloudFormation | High | Encryption | S3 Buckets should have server-side encryption at rest enabled to protect sensitive data | Documentation |
| ECS Cluster Not Encrypted At Rest 6c131358-c54d-419b-9dd6-1f7dd41d180c |
CloudFormation | High | Encryption | Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. | Documentation |
| ElastiCache With Disabled Transit Encryption 3b02569b-fc6f-4153-b3a3-ba91022fed68 |
CloudFormation | High | Encryption | Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled | Documentation |
| S3 Bucket Without SSL In Write Actions 38c64e76-c71e-4d92-a337-60174d1de1c9 |
CloudFormation | High | Encryption | S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) | Documentation |
| CloudFormation Specifying Credentials Not Safe 9ecb6b21-18bc-4aa7-bd07-db20f1c746db |
CloudFormation | High | Encryption | Specifying credentials in the template itself is probably not safe to do. | Documentation |
| EFS Not Encrypted 2ff8e83c-90e1-4d68-a300-6d652112e622 |
CloudFormation | High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
| API Gateway Cache Encrypted Disabled 37cca703-b74c-48ba-ac81-595b53398e9b |
CloudFormation | High | Encryption | 'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true | Documentation |
| SageMaker Data Encryption Disabled 709e6da6-fa1f-44cc-8f17-7f25f96dadbe |
CloudFormation | High | Encryption | Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. | Documentation |
| DB Instance Publicly Accessible de38e1d5-54cb-4111-a868-6f7722695007 |
CloudFormation | High | Insecure Configurations | RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 dc17ee4b-ddf2-4e23-96e8-7a36abad1303 |
CloudFormation | High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
| ECS Task Definition Network Mode Not Recommended 027a4b7a-8a59-4938-a04f-ed532512cf45 |
CloudFormation | High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
| KMS Key With Vulnerable Policy da905474-7454-43c0-b8d2-5756ab951aba |
CloudFormation | High | Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
| S3 Static Website Host Enabled 90501b1b-cded-4cc1-9e8b-206b85cda317 |
CloudFormation | High | Insecure Configurations | Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. | Documentation |
| S3 Bucket With Unsecured CORS Rule 3609d27c-3698-483a-9402-13af6ae80583 |
CloudFormation | High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure | Documentation |
| Redshift Publicly Accessible bdf8dcb4-75df-4370-92c4-606e4ae6c4d3 |
CloudFormation | High | Insecure Configurations | AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false | Documentation |
| Batch Job Definition With Privileged Container Properties 76ddf32c-85b1-4808-8935-7eef8030ab36 |
CloudFormation | High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties | Documentation |
| S3 Bucket Without Restriction Of Public Bucket 350cd468-0e2c-44ef-9d22-cfb73a62523c |
CloudFormation | High | Insecure Configurations | S3 bucket without restriction of public bucket | Documentation |
| Root Account Has Active Access Keys 4c137350-7307-4803-8c04-17c09a7a9fcf |
CloudFormation | High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
| API Gateway Without Security Policy 8275fab0-68ec-4705-bbf4-86975edb170e |
CloudFormation | High | Insecure Configurations | API Gateway should have a Security Policy defined and use TLS 1.2. | Documentation |
| Permissive Web ACL Default Action 6d64f311-3da6-45f3-80f1-14db9771ea40 |
CloudFormation | High | Insecure Defaults | WebAcl DefaultAction should not be ALLOW | Documentation |
| Vulnerable Default SSL Certificate b4d9c12b-bfba-4aeb-9cb8-2358546d8041 |
CloudFormation | High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. | Documentation |
| HTTP Port Open To Internet ddfc4eaa-af23-409f-b96c-bf5c45dc4daa |
CloudFormation | High | Networking and Firewall | The HTTP port is open to the internet in a Security Group | Documentation |
| ELB Sensitive Port Is Exposed To Entire Network 78055456-f670-4d2e-94d5-392d1cf4f5e4 |
CloudFormation | High | Networking and Firewall | The load balancer of the application with a sensitive port connection is exposed to the entire internet. | Documentation |
| EC2 Network ACL Overlapping Ports 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576 |
CloudFormation | High | Networking and Firewall | NetworkACL Entries are reusing or overlapping ports which may create ineffective rules | Documentation |
| EKS node group remote access 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3 |
CloudFormation | High | Networking and Firewall | Ensure Amazon EKS Node group has implict SSH access | Documentation |
| Unrestricted Security Group Ingress 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14 |
CloudFormation | High | Networking and Firewall | AWS Security Group Ingress CIDR should not be open to the world | Documentation |
| EC2 Sensitive Port Is Publicly Exposed 494b03d3-bf40-4464-8524-7c56ad0700ed |
CloudFormation | High | Networking and Firewall | The EC2 instance has a sensitive port connection exposed to the entire network | Documentation |
| DB Security Group With Public Scope 9564406d-e761-4e61-b8d7-5926e3ab8e79 |
CloudFormation | High | Networking and Firewall | The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it | Documentation |
| Security Groups With Exposed Admin Ports cdbb0467-2957-4a77-9992-7b55b29df7b7 |
CloudFormation | High | Networking and Firewall | Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) | Documentation |
| Default Security Groups With Unrestricted Traffic ea33fcf7-394b-4d11-a228-985c5d08f205 |
CloudFormation | High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
| Route53 Record Undefined 24d932e1-91f0-46ea-836f-fdbd81694151 |
CloudFormation | High | Networking and Firewall | Route53 HostedZone must have the Record Set defined. | Documentation |
| Security Groups Allows Unrestricted Outbound Traffic 66f2d8f9-a911-4ced-ae27-34f09690bb2c |
CloudFormation | High | Networking and Firewall | No security group should allow unrestricted egress access | Documentation |
| Fully Open Ingress e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5 |
CloudFormation | High | Networking and Firewall | ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses | Documentation |
| Security Group With Unrestricted Access To SSH 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 |
CloudFormation | High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
| Security Group Unrestricted Access To RDP 3ae83918-7ec7-4cb8-80db-b91ef0f94002 |
CloudFormation | High | Networking and Firewall | Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) | Documentation |
| Remote Desktop Port Open To Internet c9846969-d066-431f-9b34-8c4abafe422a |
CloudFormation | High | Networking and Firewall | The Remote Desktop port is open to the internet in a Security Group | Documentation |
| DB Security Group Open To Large Scope 0104165b-02d5-426f-abc9-91fb48189899 |
CloudFormation | High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. | Documentation |
| Unknown Port Exposed To Internet 829ce3b8-065c-41a3-ad57-e0accfea82d2 |
CloudFormation | High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
| SageMaker Notebook Not Placed In VPC 9c7028d9-04c2-45be-b8b2-1188ccaefb36 |
CloudFormation | High | Networking and Firewall | SageMaker Notebook must be placed in a VPC | Documentation |
| ALB Listening on HTTP 275a3217-ca37-40c1-a6cf-bb57d245ab32 |
CloudFormation | High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
| EC2 Public Instance Exposed Through Subnet c44c95fc-ae92-4bb8-bdf8-bb9bc412004a |
CloudFormation | High | Networking and Firewall | EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets | Documentation |
| RDS Associated with Public Subnet 4e88adee-a8eb-4605-a78d-9fb1096e3091 |
CloudFormation | High | Networking and Firewall | RDS should not run in public subnet | Documentation |
| Security Groups With Meta IP adcd0082-e90b-4b63-862b-21899f6e6a48 |
CloudFormation | High | Networking and Firewall | Security Groups allows 0.0.0.0/0 for all ports and protocols. | Documentation |
| EC2 Instance Subnet Has Public IP Mapping On Launch b3de4e4c-14be-4159-b99d-9ad194365e4c |
CloudFormation | High | Networking and Firewall | EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true | Documentation |
| Configuration Aggregator to All Regions Disabled 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d |
CloudFormation | High | Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
| CloudTrail Logging Disabled 5c0b06d5-b7a4-484c-aeb0-75a836269ff0 |
CloudFormation | High | Observability | Checks if logging is enabled for CloudTrail. | Documentation |
| CMK Rotation Disabled 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5 |
CloudFormation | High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. | Documentation |
| S3 Bucket CloudTrail Logging Disabled c3ce69fd-e3df-49c6-be78-1db3f802261c |
CloudFormation | High | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail | Documentation |
| SQS Queue Policy Allows NotAction 4fbfee74-8186-40d5-a24e-4baa76a855de |
CloudFormation | Medium | Access Control | AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited | Documentation |
| KMS Allows Wildcard Principal f6049677-ec4a-43af-8779-5190b6d03cba |
CloudFormation | Medium | Access Control | KMS Should not allow Principal parameter to be set as * | Documentation |
| SQS Queue Policy Allows NotPrincipal 4a8fc9a2-2b2f-4b3f-aa8d-401425872034 |
CloudFormation | Medium | Access Control | Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using NotPrincipal in the same policy statement as "Effect": "Allow". |
Documentation |
| EC2 Instance Has No IAM Role f914357d-8386-4d56-9ba6-456e5723f9a6 |
CloudFormation | Medium | Access Control | Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. | Documentation |
| Empty Roles For ECS Cluster Task Definitions 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb |
CloudFormation | Medium | Access Control | Check if any ECS cluster has not defined proper roles for services' task definitions. | Documentation |
| SNS Topic Publicity Has Allow and NotAction Simultaneously 818f38ed-8446-4132-9c03-474d49e10195 |
CloudFormation | Medium | Access Control | SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. | Documentation |
| IAM Policy On User e4239438-e639-44aa-adb8-866e400e3ade |
CloudFormation | Medium | Access Control | IAM policies should be applied to groups and not to users | Documentation |
| EC2 Network ACL Ineffective Denied Traffic 2623d682-dccb-44cd-99d0-54d9fd62f8f2 |
CloudFormation | Medium | Access Control | Ineffective deny rules. A deny rule should be applied to all IP addresses. | Documentation |
| ECR Repository Is Publicly Accessible 75be209d-1948-41f6-a8c8-e22dd0121134 |
CloudFormation | Medium | Access Control | Amazon ECR image repositories shouldn't have public access | Documentation |
| IoT Policy Allows Wildcard Resource be5b230d-4371-4a28-a441-85dc760e2aa3 |
CloudFormation | Medium | Access Control | IoT Policy should not allow Resource to be set as * | Documentation |
| API Gateway Method Does Not Contains An API Key 3641d5b4-d339-4bc2-bfb9-208fe8d3477f |
CloudFormation | Medium | Access Control | An API Key should be required on a method request. | Documentation |
| Elasticsearch Without IAM Authentication 5c666ed9-b586-49ab-9873-c495a833b705 |
CloudFormation | Medium | Access Control | AWS Elasticsearch should ensure IAM Authentication | Documentation |
| Neptune Cluster With IAM Database Authentication Disabled a3aa0087-8228-4e7e-b202-dc9036972d02 |
CloudFormation | Medium | Access Control | Neptune Cluster should have IAM Database Authentication enabled | Documentation |
| API Gateway Without Configured Authorizer 7fd0d461-5b8c-4815-898c-f2b4b117eb28 |
CloudFormation | Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer | Documentation |
| SQS Policy With Public Access 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d |
CloudFormation | Medium | Access Control | Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue | Documentation |
| Public Lambda via API Gateway 57b12981-3816-4c31-b190-a1e614361dd2 |
CloudFormation | Medium | Access Control | Allowing to run lambda function using public API Gateway | Documentation |
| S3 Bucket Allows Public ACL 48f100d9-f499-4c6d-b2b8-deafe47ffb26 |
CloudFormation | Medium | Access Control | S3 bucket allows public ACL | Documentation |
| Lambda Permission Principal Is Wildcard 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7 |
CloudFormation | Medium | Access Control | Lambda Permission Principal should not contain a wildcard. | Documentation |
| IAM Policies Attached To User edc95c10-7366-4f30-9b4b-f995c84eceb5 |
CloudFormation | Medium | Access Control | IAM policies should be attached only to groups or roles | Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7 |
CloudFormation | Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access | Documentation |
| IoT Policy Allows Action as Wildcard 4d32780f-43a4-424a-a06d-943c543576a5 |
CloudFormation | Medium | Access Control | IoT Policy should not allow Action to be set as * | Documentation |
| EBS Volume Not Attached To Instances 1819ac03-542b-4026-976b-f37addd59f3b |
CloudFormation | Medium | Availability | EBS Volumes that are unattached to instances may contain sensitive data | Documentation |
| ElastiCache Nodes Not Created Across Multi AZ cfdef2e5-1fe4-4ef4-bea8-c56e08963150 |
CloudFormation | Medium | Availability | ElastiCache Nodes should have 'AZMode' set to 'cross-az' in in multi nodes cluster | Documentation |
| CMK Is Unusable 2844c749-bd78-4cd1-90e8-b179df827602 |
CloudFormation | Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. | Documentation |
| Auto Scaling Group With No Associated ELB ad21e616-5026-4b9d-990d-5b007bfe679c |
CloudFormation | Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. | Documentation |
| ECS Service Without Running Tasks 79d745f0-d5f3-46db-9504-bef73e9fd528 |
CloudFormation | Medium | Availability | ECS Service should have at least 1 task running | Documentation |
| Low RDS Backup Retention Period e649a218-d099-4550-86a4-1231e1fcb60d |
CloudFormation | Medium | Backup | AWS RDS backup retention policy should be at least 7 days | Documentation |
| Stack Retention Disabled fe974ae9-858e-4991-bbd5-e040a834679f |
CloudFormation | Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
| RDS With Backup Disabled 8c415f6f-7b90-4a27-a44a-51047e1506f9 |
CloudFormation | Medium | Backup | Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup | Documentation |
| RDS Multi-AZ Deployment Disabled 2b1d4935-9acf-48a7-8466-10d18bf51a69 |
CloudFormation | Medium | Backup | AWS RDS Instance should have a multi-az deployment | Documentation |
| IAM Password Without Symbol d72a7869-e8b9-4e12-bcd2-e8be10b39fa7 |
CloudFormation | Medium | Best Practices | IAM password should have the required symbols | Documentation |
| Cognito UserPool Without MFA 74a18d1a-cf02-4a31-8791-ed0967ad7fdc |
CloudFormation | Medium | Best Practices | AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users | Documentation |
| IAM Managed Policy Applied to a User 0e5872b4-19a0-4165-8b2f-56d9e14b909f |
CloudFormation | Medium | Best Practices | Make sure that any managed IAM policies are implemented in a group and not in a user. | Documentation |
| ECS No Load Balancer Attached fb2b0ecf-1492-491a-a70d-ba1df579175d |
CloudFormation | Medium | Best Practices | Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. | Documentation |
| IAM User Without Password Reset a964d6e3-8e1e-4d93-8120-61fa640dd55a |
CloudFormation | Medium | Best Practices | IAM User Login Profile should exist and have PasswordResetRequired property set to true | Documentation |
| IAM Password Without Lowercase Letter f4cf35d6-da92-48de-ab70-57be2b2e6497 |
CloudFormation | Medium | Best Practices | IAM Password should have at least one lowercase letter | Documentation |
| IAM Password Without Number 839f238f-2e3a-4a72-b945-8abdf91af955 |
CloudFormation | Medium | Best Practices | IAM user resource Login Profile Password should have at least one number | Documentation |
| IAM Password Without Uppercase Letter 445020f6-b69e-4484-847f-02d4b7768902 |
CloudFormation | Medium | Best Practices | IAM password should have at least one uppercase letter | Documentation |
| IAM Password Without Minimum Length b1b20ae3-8fa7-4af5-a74d-a2145920fcb1 |
CloudFormation | Medium | Best Practices | IAM password should have the required minimum length | Documentation |
| Config Rule For Encrypted Volumes Disabled 1b6322d9-c755-4f8c-b804-32c19250f2d9 |
CloudFormation | Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
| CodeBuild Not Encrypted d7467bb6-3ed1-4c82-8095-5e7a818d0aad |
CloudFormation | Medium | Encryption | CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined | Documentation |
| API Gateway With Invalid Compression d6653eee-2d4d-4e6a-976f-6794a497999a |
CloudFormation | Medium | Encryption | API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. | Documentation |
| Unscanned ECR Image 9025b2b3-e554-4842-ba87-db7aeec36d35 |
CloudFormation | Medium | Encryption | Checks if the ECR Image has been scanned | Documentation |
| ElasticSearch Encryption With KMS Disabled d926aa95-0a04-4abc-b20c-acf54afe38a1 |
CloudFormation | Medium | Encryption | Check if any ElasticSearch domain isn't encrypted with KMS. | Documentation |
| AmazonMQ Broker Encryption Disabled 316278b3-87ac-444c-8f8f-a733a28da60f |
CloudFormation | Medium | Encryption | AmazonMQ Broker should have Encryption Options defined | Documentation |
| ElasticSearch Not Encrypted At Rest 86a248ab-0e01-4564-a82a-878303e253bb |
CloudFormation | Medium | Encryption | Check if ElasticSearch encryption is disabled at Rest | Documentation |
| IAM Group Inline Policies a58d1a2d-4078-4b80-855b-84cc3f7f4540 |
CloudFormation | Medium | Encryption | IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted | Documentation |
| KMS Key Rotation Disabled 235ca980-eb71-48f4-9030-df0c371029eb |
CloudFormation | Medium | Encryption | EnableKeyRotation should not be false or undefined | Documentation |
| EMR Security Configuration Encryption Disabled 5b033ec8-f079-4323-b5c8-99d4620433a9 |
CloudFormation | Medium | Encryption | EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. | Documentation |
| Alexa Skill Plaintext Client Secret Exposed 3c3b7a58-b018-4d07-9444-d9ee7156e111 |
CloudFormation | Medium | Encryption | Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information | Documentation |
| Neptune Database Cluster Encryption Disabled bf4473f1-c8a2-4b1b-8134-bd32efabab93 |
CloudFormation | Medium | Encryption | Neptune database cluster storage should have encryption enabled | Documentation |
| Memcached Disabled dd0971a6-09c3-4168-8474-a7ef8fbfd99d |
CloudFormation | Medium | Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
| EBS Volume Encryption Disabled 80b7ac3f-d2b7-4577-9b10-df7913497162 |
CloudFormation | Medium | Encryption | EBS volumes should be encrypted | Documentation |
| Workspace Without Encryption 89827c57-5a8a-49eb-9731-976a606d70db |
CloudFormation | Medium | Encryption | Workspaces should have encryption enabled | Documentation |
| RDS Storage Encryption Disabled 65844ba3-03a1-40a8-b3dd-919f122e8c95 |
CloudFormation | Medium | Encryption | RDS DBCluster should have storage encrypted set to true | Documentation |
| SageMaker EndPoint Config Should Specify KmsKeyId Attribute 44034eda-1c3f-486a-831d-e09a7dd94354 |
CloudFormation | Medium | Encryption | KmsKeyId attribute should be defined | Documentation |
| Default KMS Key Usage e52395b4-250b-4c60-81d5-2e58c1d37abc |
CloudFormation | Medium | Encryption | When StorageEncrypted is set to true, KmsKeyId should be defined, to avoid the use of the default KMS Key |
Documentation |
| SQS With SSE Disabled 12726829-93ed-4d51-9cbe-13423f4299e1 |
CloudFormation | Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) | Documentation |
| ECR Image Tag Not Immutable 33f41d31-86b1-46a4-81f7-9c9a671f59ac |
CloudFormation | Medium | Insecure Configurations | ECR should have an image tag be immutable. This prevents image tags from being overwritten. | Documentation |
| Lambda Function Without Tags 8df8e857-bd59-44fa-9f4c-d77594b95b46 |
CloudFormation | Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. | Documentation |
| MQ Broker Is Publicly Accessible 68b6a789-82f8-4cfd-85de-e95332fe6a61 |
CloudFormation | Medium | Insecure Configurations | Check if any MQ Broker is not publicly accessible | Documentation |
| IAM User LoginProfile Password Is In Plaintext 06adef8c-c284-4de7-aad2-af43b07a8ca1 |
CloudFormation | Medium | Insecure Configurations | IAM User LoginProfile Password must not be a plaintext string | Documentation |
| IAM User Has Too Many Access Keys 48677914-6fdf-40ec-80c4-2b0e94079f54 |
CloudFormation | Medium | Insecure Configurations | Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials | Documentation |
| API Gateway With Open Access 1056dfbb-5802-4762-bf2b-8b9b9684b1b0 |
CloudFormation | Medium | Insecure Configurations | API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. | Documentation |
| API Gateway Without SSL Certificate ed4c48b8-eccc-4881-95c1-09fdae23db25 |
CloudFormation | Medium | Insecure Configurations | SSL Client Certificate should be enabled | Documentation |
| EMR Cluster Without Security Configuration 48af92a5-c89b-4936-bc62-1086fe2bab23 |
CloudFormation | Medium | Insecure Configurations | EMR Cluster should have security configuration defined. | Documentation |
| Lambda Functions Without Unique IAM Roles ae03f542-1423-402f-9cef-c834e7ee9583 |
CloudFormation | Medium | Insecure Configurations | AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks | Documentation |
| SageMaker Enabling Internet Access 88d55d94-315d-4564-beee-d2d725feab11 |
CloudFormation | Medium | Insecure Configurations | SageMaker must have disabled internet access and root access for Creating Notebook Instances. | Documentation |
| Inline Policies Are Attached To ECS Service 9e8c89b3-7997-4d15-93e4-7911b9db99fd |
CloudFormation | Medium | Insecure Configurations | Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. | Documentation |
| GitHub Repository Set To Public 5906092d-5f74-490d-9a03-78febe0f65e1 |
CloudFormation | Medium | Insecure Configurations | Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') | Documentation |
| Instance With No VPC 8a6d36cd-0bc6-42b7-92c4-67acc8576861 |
CloudFormation | Medium | Insecure Configurations | EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | Documentation |
| RouterTable with Default Routing 4f0908b9-eb66-433f-9145-134274e1e944 |
CloudFormation | Medium | Insecure Defaults | NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. | Documentation |
| S3 Bucket Should Have Bucket Policy 37fa8188-738b-42c8-bf82-6334ea567738 |
CloudFormation | Medium | Insecure Defaults | Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated | Documentation |
| Security Group Ingress With All Protocols 1a427b25-2e9e-4298-9530-0499a55e736b |
CloudFormation | Medium | Networking and Firewall | AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports | Documentation |
| ELB With Security Group Without Outbound Rules 01d5a458-a6c4-452a-ac50-054d59275b7c |
CloudFormation | Medium | Networking and Firewall | An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules | Documentation |
| TCP/UDP Protocol Network ACL Entry Allows All Ports f57f849c-883b-4cb7-85e7-f7b199dff163 |
CloudFormation | Medium | Networking and Firewall | TCP/UDP protocol AWS Network ACL Entry should not allow all ports | Documentation |
| Security Groups Without VPC Attached 493d9591-6249-47bf-8dc0-5c10161cc558 |
CloudFormation | Medium | Networking and Firewall | Security Groups must have a VPC. | Documentation |
| Security Group Egress With All Protocols ee464fc2-54a6-4e22-b10a-c6dcd2474d0c |
CloudFormation | Medium | Networking and Firewall | AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports | Documentation |
| VPC Without Network Firewall 3e293410-d5b8-411f-85fd-7d26294f20c9 |
CloudFormation | Medium | Networking and Firewall | VPC should have a Network Firewall associated | Documentation |
| ELB With Security Group Without Inbound Rules e200a6f3-c589-49ec-9143-7421d4a2c845 |
CloudFormation | Medium | Networking and Firewall | An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules | Documentation |
| API Gateway Endpoint Config is Not Private 4a8daf95-709d-4a36-9132-d3e19878fa34 |
CloudFormation | Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet | Documentation |
| GameLift Fleet EC2 InboundPermissions With Port Range 43356255-495d-4148-ad8d-f6af5eac09dd |
CloudFormation | Medium | Networking and Firewall | AWS GameLift Fleet EC2InboundPermissions should have a single port | Documentation |
| EC2 Permissive Network ACL Protocols 03879981-efa2-47a0-a818-c843e1441b88 |
CloudFormation | Medium | Networking and Firewall | To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). | Documentation |
| API Gateway without WAF fcbf9019-566c-4832-a65c-af00d8137d2b |
CloudFormation | Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled | Documentation |
| Security Group Egress CIDR Open To World 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a |
CloudFormation | Medium | Networking and Firewall | AWS Security Group Egress CIDR should not be open to the world | Documentation |
| ALB Is Not Integrated With WAF 105ba098-1e34-48cd-b0f2-a8a43a51bf9b |
CloudFormation | Medium | Networking and Firewall | All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service | Documentation |
| Security Group Ingress With Port Range 87482183-a8e7-4e42-a566-7a23ec231c16 |
CloudFormation | Medium | Networking and Firewall | AWS Security Group Ingress should have a single port | Documentation |
| Security Group Egress With Port Range dae9c373-8287-462f-8746-6f93dad93610 |
CloudFormation | Medium | Networking and Firewall | AWS Security Group Egress should have a single port | Documentation |
| API Gateway V2 Stage Access Logging Settings Not Defined 80d45af4-4920-4236-a56e-b7ef419d1941 |
CloudFormation | Medium | Observability | API Gateway V2 Stage should have Access Logging Settings defined. | Documentation |
| API Gateway Deployment Without Access Log Setting 06ec63e3-9f72-4fe2-a218-2eb9200b8db5 |
CloudFormation | Medium | Observability | API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. | Documentation |
| S3 Bucket Without Versioning a227ec01-f97a-4084-91a4-47b350c1db54 |
CloudFormation | Medium | Observability | S3 bucket should have versioning enabled | Documentation |
| CloudWatch Metrics Disabled 5d3c1807-acb3-4bb0-be4e-0440230feeaf |
CloudFormation | Medium | Observability | Checks if CloudWatch Metrics is Enabled | Documentation |
| ElasticSearch Without Slow Logs 086ea2eb-14a6-4fd4-914b-38e0bc8703e8 |
CloudFormation | Medium | Observability | Ensure that AWS Elasticsearch enables support for slow logs | Documentation |
| CloudTrail Not Integrated With CloudWatch 65d07da5-9af5-44df-8983-52d2e6f24c44 |
CloudFormation | Medium | Observability | CloudTrail should be integrated with CloudWatch | Documentation |
| GuardDuty Detector Disabled a25cd877-375c-4121-a640-730929936fac |
CloudFormation | Medium | Observability | Make sure that Amazon GuardDuty is Enabled | Documentation |
| MQ Broker Logging Disabled e519ed6a-8328-4b69-8eb7-8fa549ac3050 |
CloudFormation | Medium | Observability | Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). | Documentation |
| MSK Cluster Logging Disabled fc7c2c15-f5d0-4b80-adb2-c89019f8f62b |
CloudFormation | Medium | Observability | Ensure MSK Cluster Logging is enabled | Documentation |
| CloudTrail SNS Topic Name Undefined 3e09413f-471e-40f3-8626-990c79ae63f3 |
CloudFormation | Medium | Observability | Check if SNS topic name is set for CloudTrail | Documentation |
| CloudFront Logging Disabled de77cd9f-0e8b-46cc-b4a4-b6b436838642 |
CloudFormation | Medium | Observability | AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined | Documentation |
| API Gateway X-Ray Disabled 4ab10c48-bedb-4deb-8f3b-ff12783b61de |
CloudFormation | Medium | Observability | API Gateway should have X-Ray Tracing enabled | Documentation |
| ELB Access Log Disabled ee12ad32-2863-4c0f-b13f-28272d115028 |
CloudFormation | Medium | Observability | ELB should have access log enabled | Documentation |
| Redshift Cluster Logging Disabled 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6 |
CloudFormation | Medium | Observability | Make sure Logging is enabled for Redshift Cluster | Documentation |
| CloudTrail Multi Region Disabled 058ac855-989f-4378-ba4d-52d004020da7 |
CloudFormation | Medium | Observability | CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true | Documentation |
| Stack Notifications Disabled 837e033c-4717-40bd-807e-6abaa30161b7 |
CloudFormation | Medium | Observability | AWS CloudFormation should have stack notifications enabled to be notified when an event occurs | Documentation |
| ELBv2 ALB Access Log Disabled c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621 |
CloudFormation | Medium | Observability | ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. | Documentation |
| CloudWatch Logging Disabled 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0 |
CloudFormation | Medium | Observability | Check if CloudWatch logging is disabled for Route53 hosted zones | Documentation |
| S3 Bucket Logging Disabled 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c |
CloudFormation | Medium | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable | Documentation |
| High Access Key Rotation Period 800fa019-49dd-421b-9042-7331fdd83fa2 |
CloudFormation | Medium | Secret Management | ConfigRule should enforce access keys to be rotated within 90 days. | Documentation |
| Amplify App OAuth Token Exposed 03b38885-8f4e-480c-a0e4-12c1affd15db |
CloudFormation | Medium | Secret Management | Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. | Documentation |
| Directory Service Simple AD Password Exposed 6685d912-d81f-4cfa-95ad-e316ea31c989 |
CloudFormation | Medium | Secret Management | DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. | Documentation |
| DMS Endpoint MongoDB Settings Password Exposed f988a17f-1139-46a3-8928-f27eafd8b024 |
CloudFormation | Medium | Secret Management | DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. | Documentation |
| Directory Service Microsoft AD Password Set to Plaintext or Default Ref 06b9f52a-8cd5-459b-bdc6-21a22521e1be |
CloudFormation | Medium | Secret Management | Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. | Documentation |
| Amplify App Basic Auth Config Password Exposed 71493c8b-3014-404c-9802-078b74496fb7 |
CloudFormation | Medium | Secret Management | Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. | Documentation |
| RefreshToken Is Exposed 5b48c507-0d1f-41b0-a630-76817c6b4189 |
CloudFormation | Medium | Secret Management | Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string | Documentation |
| SNS Topic Without KmsMasterKeyId 9d13b150-a2ab-42a1-b6f4-142e41f81e52 |
CloudFormation | Medium | Secret Management | KmsMasterKeyId attribute should not be undefined | Documentation |
| Amplify App Access Token Exposed 73980e43-f399-4fcc-a373-658228f7adf7 |
CloudFormation | Medium | Secret Management | Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. | Documentation |
| Secrets Manager Should Specify KmsKeyId c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22 |
CloudFormation | Medium | Secret Management | Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account | Documentation |
| Amplify Branch Basic Auth Config Password Exposed dfb56e5d-ee68-446e-b32a-657b62befe69 |
CloudFormation | Medium | Secret Management | Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. | Documentation |
| DMS Endpoint Password Exposed 5f700072-b7ce-4e84-b3f3-497bf1c24a4d |
CloudFormation | Medium | Secret Management | DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. | Documentation |
| DocDB Cluster Master Password In Plaintext 39423ce4-9011-46cd-b6b1-009edcd9385d |
CloudFormation | Medium | Secret Management | DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. | Documentation |
| EBS Volume Without KmsKeyId b7063015-6c31-4658-a8e7-14f98f37fd42 |
CloudFormation | Medium | Secret Management | EBS Volume should specify a KmsKeyId value | Documentation |
| Hardcoded AWS Access Key In Lambda 2564172f-c92b-4261-9acd-464aed511696 |
CloudFormation | Medium | Secret Management | Lambda access/secret keys should not be hardcoded | Documentation |
| Support Has No Role Associated d71b5fd7-9020-4b2d-9ec8-b3839faa2744 |
CloudFormation | Low | Access Control | Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. | Documentation |
| IAM Group Without Users 8f957abd-9703-413d-87d3-c578950a753c |
CloudFormation | Low | Access Control | IAM Group should have at least one user associated | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services e835bd0d-65da-49f7-b6d1-b646da8727e6 |
CloudFormation | Low | Access Control | IAM Policy should not grant 'AssumeRole' permission across all services. | Documentation |
| IAM Role Allows All Principals To Assume f80e3aa7-7b34-4185-954e-440a6894dde6 |
CloudFormation | Low | Access Control | IAM role allows all services or principals to assume it | Documentation |
| EC2 Instance Using Default Security Group 08b81bb3-0985-4023-8602-b606ad81d279 |
CloudFormation | Low | Access Control | EC2 instances should not use default security group(s) | Documentation |
| IAM User With No Group 06933df4-0ea7-461c-b9b5-104d27390e0e |
CloudFormation | Low | Access Control | A IAM user should belong to a group | Documentation |
| VPC Attached With Too Many Gateways 97e94d17-e2c7-4109-a53b-6536ac1bb64e |
CloudFormation | Low | Availability | The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC | Documentation |
| RDS DB Instance With Deletion Protection Disabled 2c161e58-cb52-454f-abea-6470c37b5e6e |
CloudFormation | Low | Backup | RDS DBInstance should have deletion protection set to true | Documentation |
| IAM Access Analyzer Not Enabled 8d29754a-2a18-460d-a1ba-9509f8d359da |
CloudFormation | Low | Best Practices | IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions | Documentation |
| Geo Restriction Disabled 7f8843f0-9ea5-42b4-a02b-753055113195 |
CloudFormation | Low | Best Practices | Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content | Documentation |
| IAM Policies Without Groups 5e7acff5-095b-40ac-9073-ac2e4ad8a512 |
CloudFormation | Low | Best Practices | IAM policy should not apply directly to users, should be with a group | Documentation |
| Security Group Ingress Has CIDR Not Recommended a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd |
CloudFormation | Low | Best Practices | AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 | Documentation |
| CDN Configuration Is Missing e4f54ff4-d352-40e8-a096-5141073c37a2 |
CloudFormation | Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. | Documentation |
| Lambda Permission Misconfigured 9b83114b-b2a1-4534-990d-06da015e47aa |
CloudFormation | Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
| Automatic Minor Upgrades Disabled f0104061-8bfc-4b45-8a7d-630eb502f281 |
CloudFormation | Low | Best Practices | RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. | Documentation |
| EFS Without Tags 08e39832-5e42-4304-98a0-aa5b43393162 |
CloudFormation | Low | Build Process | Amazon Elastic Filesystem should have filesystem tags associated | Documentation |
| DynamoDB With Not Recommented Table Billing Mode c333e906-8d8b-4275-b999-78b6318f8dc6 |
CloudFormation | Low | Build Process | Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED | Documentation |
| CloudTrail Log Files Not Encrypted With KMS 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85 |
CloudFormation | Low | Encryption | Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail | Documentation |
| API Gateway Cache Cluster Disabled 52790cad-d60d-41d5-8483-146f9f21208d |
CloudFormation | Low | Insecure Configurations | AWS API Gateway should have cache clustering enabled | Documentation |
| Lambda Function Without Dead Letter Queue c2eae442-d3ba-4cb1-84ca-1db4f80eae3d |
CloudFormation | Low | Insecure Configurations | AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) | Documentation |
| S3 Bucket Without Ignore Public ACL 6c8d51af-218d-4bfb-94a9-94eabaa0703a |
CloudFormation | Low | Insecure Configurations | S3 bucket without ignore public ACL | Documentation |
| Wildcard In ACM Certificate Domain Name cc8b294f-006f-4f8f-b5bb-0a9140c33131 |
CloudFormation | Low | Insecure Configurations | ACM Certificate should not use wildcards (*) in the domain name | Documentation |
| RDS Using Default Port 1fe9d958-ddce-4228-a124-05265a959a8b |
CloudFormation | Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 | Documentation |
| ElastiCache Without VPC ba766c53-fe71-4bbb-be35-b6803f2ef13e |
CloudFormation | Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) | Documentation |
| ElastiCache Using Default Port 323db967-c68e-44e6-916c-a777f95af34b |
CloudFormation | Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 | Documentation |
| EC2 Network ACL Duplicate Rule 045ddb54-cfc5-4abb-9e05-e427b2bc96fe |
CloudFormation | Low | Networking and Firewall | A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress | Documentation |
| EC2 Instance Using Default VPC e42a3ef0-5325-4667-84bf-075ba1c9d58e |
CloudFormation | Low | Networking and Firewall | EC2 Instances should not be configured under a default VPC network | Documentation |
| EMR Without VPC bf89373a-be40-4c04-99f5-746742dfd7f3 |
CloudFormation | Low | Networking and Firewall | Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) | Documentation |
| CloudFront Without WAF 0f139403-303f-467c-96bd-e717e6cfd62d |
CloudFormation | Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
| Redshift Using Default Port a478af30-8c3a-404d-aa64-0b673cee509a |
CloudFormation | Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port | Documentation |
| Shield Advanced Not In Use ad7444cf-817a-4765-a79e-2145f7981faf |
CloudFormation | Low | Networking and Firewall | AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks | Documentation |
| Lambda Functions Without X-Ray Tracing 9488c451-074e-4cd3-aee3-7db6104f542c |
CloudFormation | Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' | Documentation |
| CloudTrail Log File Validation Disabled 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8 |
CloudFormation | Low | Observability | CloudTrail log file validation should be enabled to determine whether a log file has not been tampered | Documentation |
| API Gateway Deployment Without API Gateway UsagePlan Associated 783860a3-6dca-4c8b-81d0-7b62769ccbca |
CloudFormation | Low | Observability | API Gateway Deployment should have API Gateway UsagePlan defined and associated. | Documentation |
| ECS Task Definition HealthCheck Missing d24389b4-b209-4ff0-8345-dc7a4569dcdd |
CloudFormation | Low | Observability | Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks | Documentation |
| VPC FlowLogs Disabled f6d299d2-21eb-41cc-b1e1-fe12d857500b |
CloudFormation | Low | Observability | Every VPC resource should have an associated Flow Log | Documentation |
| API Gateway Stage Without API Gateway UsagePlan Associated 7f8f1b60-43df-4c28-aa21-fb836dbd8071 |
CloudFormation | Low | Resource Management | API Gateway Stage should have API Gateway UsagePlan defined and associated. | Documentation |
| VPC Without Attached Subnet 3b3b4411-ad1f-40e7-b257-a78a6bb9673a |
CloudFormation | Low | Resource Management | VPCs without attached subnets may indicate that they are not being used | Documentation |
| SDB Domain Declared As A Resource 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d |
CloudFormation | Low | Resource Management | SimpleDB Domain resource should not be declared | Documentation |
| ECS Task Definition Invalid CPU or Memory f4c9b5f5-68b8-491f-9e48-4f96644a1d51 |
CloudFormation | Low | Resource Management | In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error | Documentation |
| Security Group Rule Without Description 5e6c9c68-8a82-408e-8749-ddad78cbb9c5 |
CloudFormation | Info | Best Practices | It's considered a best practice for AWS Security Group to have a description | Documentation |
| EC2 Not EBS Optimized 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40 |
CloudFormation | Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance | Documentation |
| Client Certificate Authentication Not Setup Properly e0e00aba-5f1c-4981-a542-9a9563c0ee20 |
Kubernetes | High | Access Control | Client Certificate Authentication should be Setup with a .pem or .crt file | Documentation |
| Basic Auth File Is Set 5da47109-f8d6-4585-9e2b-96a8958a12f5 |
Kubernetes | High | Access Control | When using kube-apiserver command, the 'basic-auth-file' flag should not be set | Documentation |
| Use Service Account Credentials Not Set To True 1acd93f1-5a37-45c0-aaac-82ece818be7d |
Kubernetes | High | Access Control | When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true | Documentation |
| Node Restriction Admission Control Plugin Not Set 33fc6923-6553-4fe6-9d3a-4efa51eb874b |
Kubernetes | High | Access Control | When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Token Auth File Is Set 32ecd76e-7bbf-402e-bf48-8b9485749558 |
Kubernetes | High | Access Control | When using kube-apiserver command, the 'token-auth-file' flag should not be set | Documentation |
| Always Admit Admission Control Plugin Set ce30e584-b33f-4c7d-b418-a3d7027f8f60 |
Kubernetes | High | Access Control | When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin | Documentation |
| RBAC Wildcard In Rule 6b896afb-ca07-467a-b256-1a0077a1c08e |
Kubernetes | High | Access Control | Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions | Documentation |
| Service Account Lookup Set To False a5530bd7-225a-48f9-91bb-f40b04200165 |
Kubernetes | High | Access Control | When using kube-apiserver command, the '--service-account-lookup' flag should be set to true | Documentation |
| Pod Security Policy Admission Control Plugin Not Set afa36afb-39fe-4d94-b9b6-afb236f7a03d |
Kubernetes | High | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Service Account Private Key File Not Defined ccc98ff7-68a7-436e-9218-185cb0b0b780 |
Kubernetes | High | Encryption | When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined | Documentation |
| Not Limited Capabilities For Pod Security Policy caa93370-791f-4fc6-814b-ba6ce0cb4032 |
Kubernetes | High | Insecure Configurations | Limit capabilities for a Pod Security Policy | Documentation |
| Shared Host PID Namespace 302736f4-b16c-41b8-befe-c0baffa0bd9d |
Kubernetes | High | Insecure Configurations | Container should not share the host process ID namespace | Documentation |
| Cluster Allows Unsafe Sysctls 9127f0d9-2310-42e7-866f-5fd9d20dcbad |
Kubernetes | High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. | Documentation |
| PSP Allows Containers To Share The Host Network Namespace a33e9173-b674-4dfb-9d82-cf3754816e4b |
Kubernetes | High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. | Documentation |
| Tiller (Helm v2) Is Deployed 6d173be7-545a-46c6-a81d-2ae52ed1605d |
Kubernetes | High | Insecure Configurations | Check if Tiller is deployed. | Documentation |
| Tiller Service Is Not Deleted 8b862ca9-0fbd-4959-ad72-b6609bdaa22d |
Kubernetes | High | Insecure Configurations | Check if there is any Tiller Service present | Documentation |
| NET_RAW Capabilities Not Being Dropped dbbc6705-d541-43b0-b166-dd4be8208b54 |
Kubernetes | High | Insecure Configurations | Containers should drop 'ALL' or at least 'NET_RAW' capabilities | Documentation |
| Object Is Using A Deprecated API Version 94b76ea5-e074-4ca2-8a03-c5a606e30645 |
Kubernetes | High | Insecure Configurations | Check if any objects are using a deprecated version of API. | Documentation |
| Privilege Escalation Allowed 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d |
Kubernetes | High | Insecure Configurations | Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process | Documentation |
| Container Is Privileged dd29336b-fe57-445b-a26e-e6aa867ae609 |
Kubernetes | High | Insecure Configurations | Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false | Documentation |
| Role Binding To Default Service Account 1e749bc9-fde8-471c-af0c-8254efd2dee5 |
Kubernetes | High | Insecure Defaults | No role nor cluster role should bind to a default service account | Documentation |
| Etcd TLS Certificate Not Properly Configured 895a5a95-3756-4b04-9924-2f3bc93181bd |
Kubernetes | High | Networking and Firewall | When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined | Documentation |
| Insecure Port Not Properly Set fa4def8c-1898-4a35-a139-7b76b1acdef0 |
Kubernetes | High | Networking and Firewall | When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 | Documentation |
| Etcd Peer TLS Certificate Files Not Properly Set 09bb9e96-8da3-4736-b89a-b36814acca60 |
Kubernetes | High | Networking and Firewall | When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined | Documentation |
| Etcd TLS Certificate Files Not Properly Set 075ca296-6768-4322-aea2-ba5063b969a9 |
Kubernetes | High | Networking and Firewall | When using etcd commands, the '--cert-file' and '--key-file' should be defined | Documentation |
| TSL Connection Certificate Not Setup fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f |
Kubernetes | High | Networking and Firewall | TSL Connection Certificate files should be Setup | Documentation |
| Insecure Bind Address Set b9380fd3-5ffe-4d10-9290-13e18e71eee1 |
Kubernetes | High | Networking and Firewall | When using kube-apiserver command, the '--insecure-bind-address' flag should not be set | Documentation |
| Bind Address Not Properly Set 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 |
Kubernetes | High | Networking and Firewall | When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 | Documentation |
| Secure Port Set To Zero 3d24b204-b73d-42cb-b0bf-1a5438c5f71e |
Kubernetes | High | Networking and Firewall | When using kube-apiserver command, the --secure-port flag should not be 0 | Documentation |
| Tiller Deployment Is Accessible From Within The Cluster e17fa86a-6222-4584-a914-56e8f6c87e06 |
Kubernetes | High | Networking and Firewall | Check if any Tiller Deployment container allows access from within the cluster. | Documentation |
| Kubelet HTTPS Set To False cdc8b54e-6b16-4538-a1b0-35849dbe29cf |
Kubernetes | High | Networking and Firewall | When using kube-apiserver command, the '--kubelet-https' flag should not be set to false | Documentation |
| PSP With Unrestricted Access to Host Path de4421f1-4e35-43b4-9783-737dd4e4a47e |
Kubernetes | High | Resource Management | PodSecurityPolicy should set 'readOnly' to true in every host path allowed | Documentation |
| Auto TLS Set To True 98ce8b81-7707-4734-aa39-627c6db3d84b |
Kubernetes | High | Secret Management | When using etcd commands, the '--auto-tls' should be set to false | Documentation |
| Peer Auto TLS Set To True ae8827e2-4af9-4baa-9998-87539ae0d6f0 |
Kubernetes | High | Secret Management | When using etcd commands, the '--peer-auto-tls' should be set to false | Documentation |
| Authorization Mode Set To Always Allow f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 |
Kubernetes | Medium | Access Control | When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode | Documentation |
| RBAC Roles with Exec Permission c589f42c-7924-4871-aee2-1cede9bc7cbc |
Kubernetes | Medium | Access Control | Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments | Documentation |
| RBAC Roles with Attach Permission d45330fd-f58d-45fb-a682-6481477a0f84 |
Kubernetes | Medium | Access Control | Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments | Documentation |
| RBAC Roles with Impersonate Permission 9f85c3f6-26fd-4007-938a-2e0cb0100980 |
Kubernetes | Medium | Access Control | Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation | Documentation |
| Service Account Admission Control Plugin Disabled 9587c890-0524-40c2-9ce2-663af7c2f063 |
Kubernetes | Medium | Access Control | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin | Documentation |
| Non Kube System Pod With Host Mount aa8f7a35-9923-4cad-bd61-a19b7f6aac91 |
Kubernetes | Medium | Access Control | A non kube-system workload should not have hostPath mounted | Documentation |
| RBAC Roles with Read Secrets Permissions b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 |
Kubernetes | Medium | Access Control | Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys | Documentation |
| Anonymous Auth Is Not Set To False 1de5cc51-f376-4638-a940-20f2e85ae238 |
Kubernetes | Medium | Access Control | When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) | Documentation |
| Permissive Access to Create Pods 592ad21d-ad9b-46c6-8d2d-fad09d62a942 |
Kubernetes | Medium | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. | Documentation |
| Authorization Mode RBAC Not Set 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e |
Kubernetes | Medium | Access Control | When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode | Documentation |
| RBAC Roles with Port-Forwarding Permission 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb |
Kubernetes | Medium | Access Control | Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions | Documentation |
| RBAC Roles Allow Privilege Escalation 8320826e-7a9c-4b0b-9535-578333193432 |
Kubernetes | Medium | Access Control | Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges | Documentation |
| Terminated Pod Garbage Collector Threshold Not Properly Set 49113af4-29ca-458e-b8d4-724c01a4a24f |
Kubernetes | Medium | Availability | When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 | Documentation |
| Readiness Probe Is Not Configured a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 |
Kubernetes | Medium | Availability | Check if Readiness Probe is not configured. | Documentation |
| Request Timeout Not Properly Set d89a15bb-8dba-4c71-9529-bef6729b9c09 |
Kubernetes | Medium | Availability | When using kube-apiserver command, the '--request-timeout' flag value should not be too long | Documentation |
| Container Running With Low UID 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 |
Kubernetes | Medium | Best Practices | Check if containers are running with low UID, which might cause conflicts with the host's user table. | Documentation |
| Container Running As Root cf34805e-3872-4c08-bf92-6ff7bb0cfadb |
Kubernetes | Medium | Best Practices | Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise | Documentation |
| Root Containers Admitted e3aa0612-4351-4a0d-983f-aefea25cf203 |
Kubernetes | Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 |
Kubernetes | Medium | Build Process | Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' | Documentation |
| Always Pull Images Admission Control Plugin Not Set a77f4d07-c6e0-4a48-8b35-0eeb51576f4f |
Kubernetes | Medium | Build Process | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| Encryption Provider Config Is Not Defined cbd2db69-0b21-4c14-8a40-7710a50571a9 |
Kubernetes | Medium | Encryption | When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file | Documentation |
| Weak TLS Cipher Suites 510d5810-9a30-443a-817d-5c1fa527b110 |
Kubernetes | Medium | Encryption | TLS Connection should use strong Cipher Suites | Documentation |
| Root CA File Not Defined 05fb986f-ac73-4ebb-a5b2-7faafa93d882 |
Kubernetes | Medium | Encryption | When using kube-controller-manager commands, the '--root-ca-file' should be defined | Documentation |
| Encryption Provider Not Properly Configured 10efce34-5af6-4d83-b414-9e096d5a06a9 |
Kubernetes | Medium | Encryption | The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider | Documentation |
| Workload Mounting With Sensitive OS Directory 5308a7a8-06f8-45ac-bf10-791fe21de46e |
Kubernetes | Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory | Documentation |
| PSP With Added Capabilities 7307579a-3abb-46ad-9ce5-2a915634d5c8 |
Kubernetes | Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities | Documentation |
| Ingress Controller Exposes Workload 69bbc5e3-0818-4150-89cc-1e989b48f23b |
Kubernetes | Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks | Documentation |
| NET_RAW Capabilities Disabled for PSP 2270987f-bb51-479f-b8be-3ca73e5ad648 |
Kubernetes | Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities | Documentation |
| PSP Set To Privileged c48e57d3-d642-4e0b-90db-37f807b41b91 |
Kubernetes | Medium | Insecure Configurations | Do not allow pod to request execution as privileged. | Documentation |
| PSP Allows Sharing Host IPC 80f93444-b240-4ebb-a4c6-5c40b76c04ea |
Kubernetes | Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace | Documentation |
| Containers With Added Capabilities 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 |
Kubernetes | Medium | Insecure Configurations | Containers should not have extra capabilities allowed | Documentation |
| Security Context Deny Admission Control Plugin Not Set 6a68bebe-c021-492e-8ddb-55b0567fb768 |
Kubernetes | Medium | Insecure Configurations | When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set | Documentation |
| Seccomp Profile Is Not Configured f377b83e-bd07-4f48-a591-60c82b14a78b |
Kubernetes | Medium | Insecure Configurations | Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls | Documentation |
| Using Unrecommended Namespace 611ab018-c4aa-4ba2-b0f6-a448337509a6 |
Kubernetes | Medium | Insecure Configurations | Namespaces like 'default', 'kube-system' or 'kube-public' should not be used | Documentation |
| Kubelet Protect Kernel Defaults Set To False 6cf42c97-facd-4fda-b8af-ea4529123355 |
Kubernetes | Medium | Insecure Configurations | --protect-kernel-defaults should be set to true | Documentation |
| Containers With Sys Admin Capabilities 235236ee-ad78-4065-bd29-61b061f28ce0 |
Kubernetes | Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability | Documentation |
| Container Runs Unmasked f922827f-aab6-447c-832a-e1ff63312bd3 |
Kubernetes | Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. | Documentation |
| PSP Allows Privilege Escalation 87554eef-154d-411d-bdce-9dbd91e56851 |
Kubernetes | Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation | Documentation |
| Not Limited Capabilities For Container 2f1a0619-b12b-48a0-825f-993bb6f01d58 |
Kubernetes | Medium | Insecure Configurations | Limit the capabilities for a Container. | Documentation |
| PSP Allows Sharing Host PID 91dacd0e-d189-4a9c-8272-5999a3cc32d9 |
Kubernetes | Medium | Insecure Configurations | Pod Security Policy allows containers to share the host process ID namespace | Documentation |
| Authorization Mode Node Not Set 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 |
Kubernetes | Medium | Insecure Configurations | When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode | Documentation |
| Service Account Token Automount Not Disabled 48471392-d4d0-47c0-b135-cdec95eb3eef |
Kubernetes | Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary | Documentation |
| Service Account Name Undefined Or Empty 591ade62-d6b0-4580-b1ae-209f80ba1cd9 |
Kubernetes | Medium | Insecure Defaults | A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. | Documentation |
| Kubelet Streaming Connection Timeout Disabled ed89b97d-04e9-4fd4-919f-ee5b27e555e9 |
Kubernetes | Medium | Networking and Firewall | The flag --streaming-connection-idle-timeout should not be set to 0 | Documentation |
| CNI Plugin Does Not Support Network Policies 03aabc8c-35d6-481e-9c85-20139cf72d23 |
Kubernetes | Medium | Networking and Firewall | Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster | Documentation |
| Kubelet Read Only Port Is Not Set To Zero 2940d48a-dc5e-4178-a3f8-bfbd80720b41 |
Kubernetes | Medium | Networking and Firewall | When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) | Documentation |
| Pod Misconfigured Network Policy 0401f71b-9c1e-4821-ab15-a955caa621be |
Kubernetes | Medium | Networking and Firewall | Check if any pod is not being targeted by a proper network policy. | Documentation |
| Network Policy Is Not Targeting Any Pod 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 |
Kubernetes | Medium | Networking and Firewall | Check if any network policy is not targeting any pod. | Documentation |
| Service With External Load Balance 26763a1c-5dda-4772-b507-5fca7fb5f165 |
Kubernetes | Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet | Documentation |
| Kubelet Not Managing Ip Tables 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 |
Kubernetes | Medium | Networking and Firewall | Kubelet argument --make-iptables-util-chains should be true | Documentation |
| Audit Log Path Not Set 73e251f0-363d-4e53-86e2-0a93592437eb |
Kubernetes | Medium | Observability | When using kube-apiserver command, the 'audit-log-path' flag should be defined | Documentation |
| Audit Policy File Not Defined 13a49a2e-488e-4309-a7c0-d6b05577a5fb |
Kubernetes | Medium | Observability | When using kube-apiserver command, the '--audit-policy-file' flag should be defined | Documentation |
| Memory Limits Not Defined b14d1bc4-a208-45db-92f0-e21f8e2588e9 |
Kubernetes | Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory | Documentation |
| CPU Requests Not Set ca469dd4-c736-448f-8ac1-30a642705e0a |
Kubernetes | Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node | Documentation |
| Shared Host IPC Namespace cd290efd-6c82-4e9d-a698-be12ae31d536 |
Kubernetes | Medium | Resource Management | Container should not share the host IPC namespace | Documentation |
| Memory Requests Not Defined 229588ef-8fde-40c8-8756-f4f2b5825ded |
Kubernetes | Medium | Resource Management | Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes | Documentation |
| CPU Limits Not Set 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda |
Kubernetes | Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |
| Shared Host Network Namespace 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a |
Kubernetes | Medium | Resource Management | Container should not share the host network namespace | Documentation |
| Volume Mount With OS Directory Write Permissions b7652612-de4e-4466-a0bf-1cd81f0c6063 |
Kubernetes | Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. | Documentation |
| Kubelet Client Certificate Or Key Not Set 36a27826-1bf5-49da-aeb0-a60a30c0e834 |
Kubernetes | Medium | Secret Management | When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set | Documentation |
| Etcd Client Certificate File Not Defined 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 |
Kubernetes | Medium | Secret Management | When using kube-apiserver commands, the '--etcd-cafile' flag should be defined | Documentation |
| Kubelet Certificate Authority Not Set ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 |
Kubernetes | Medium | Secret Management | When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set | Documentation |
| Shared Service Account c1032cf7-3628-44e2-bd53-38c17cf31b6b |
Kubernetes | Medium | Secret Management | A Service Account token is shared between workloads | Documentation |
| Etcd Peer Client Certificate Authentication Set To False b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff |
Kubernetes | Medium | Secret Management | When using etcd commands, the '--peer-client-cert-auth' flag should be set to true | Documentation |
| ServiceAccount Allows Access Secrets 056ac60e-fe07-4acc-9b34-8e1d51716ab9 |
Kubernetes | Medium | Secret Management | Roles and ClusterRoles when binded, should not use get, list or watch as verbs | Documentation |
| Etcd Client Certificate Authentication Set To False 9391103a-d8d7-4671-ac5d-606ba7ccb0ac |
Kubernetes | Medium | Secret Management | When using etcd commands, the '--client-cert-auth' flag should be defined | Documentation |
| Service Account Key File Not Properly Set dab4ec72-ce2e-4732-b7c3-1757dcce01a1 |
Kubernetes | Medium | Secret Management | When using kube-apiserver command, the '--service-account-key-file' flag should be defined | Documentation |
| Not Unique Certificate Authority cb7e695d-6a85-495c-b15f-23aed2519303 |
Kubernetes | Medium | Secret Management | Certificate Authority should be unique for etcd | Documentation |
| Rotate Kubelet Server Certificate Not Active 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 |
Kubernetes | Medium | Secret Management | The RotateKubeletServerCertificate argument should be true | Documentation |
| Kubelet Client Periodic Certificate Switch Disabled 52d70f2e-3257-474c-b3dc-8ad9ba6a061a |
Kubernetes | Medium | Secret Management | Kubelet argument --rotate-certificates should be true | Documentation |
| Missing AppArmor Profile 8b36775e-183d-4d46-b0f7-96a6f34a723f |
Kubernetes | Low | Access Control | Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources | Documentation |
| Docker Daemon Socket is Exposed to Containers a6f34658-fdfb-4154-9536-56d516f65828 |
Kubernetes | Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 249328b8-5f0f-409f-b1dd-029f07882e11 |
Kubernetes | Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) | Documentation |
| Deployment Without PodDisruptionBudget b23e9b98-0cb6-4fc9-b257-1f3270442678 |
Kubernetes | Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| Liveness Probe Is Not Defined ade74944-a674-4e00-859e-c6eab5bde441 |
Kubernetes | Low | Availability | In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it | Documentation |
| HPA Targets Invalid Object 2f652c42-619d-4361-b361-9f599688f8ca |
Kubernetes | Low | Availability | The Horizontal Pod Autoscale must target a valid object | Documentation |
| Event Rate Limit Admission Control Plugin Not Set e0099af2-fe17-411f-9991-0de28fe15f3c |
Kubernetes | Low | Availability | When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| StatefulSet Without PodDisruptionBudget 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 |
Kubernetes | Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| StatefulSet Without Service Name bb241e61-77c3-4b97-9575-c0f8a1e008d0 |
Kubernetes | Low | Availability | StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. | Documentation |
| HPA Targeted Deployments With Configured Replica Count 5744cbb8-5946-4b75-a196-ade44449525b |
Kubernetes | Low | Availability | Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set | Documentation |
| Metadata Label Is Invalid 1123031a-f921-4c5b-bd86-ef354ecfd37a |
Kubernetes | Low | Best Practices | Check if any label in the metadata is invalid. | Documentation |
| No Drop Capabilities for Containers 268ca686-7fb7-4ae9-b129-955a2a89064e |
Kubernetes | Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context | Documentation |
| Root Container Not Mounted Read-only a9c2f49d-0671-4fc9-9ece-f4e261e128d0 |
Kubernetes | Low | Build Process | Check if the root container filesystem is not being mounted read-only. | Documentation |
| Namespace Lifecycle Admission Control Plugin Disabled 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 |
Kubernetes | Low | Build Process | When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin | Documentation |
| Image Policy Webhook Admission Control Plugin Not Set 14abda69-8e91-4acb-9931-76e2bee90284 |
Kubernetes | Low | Build Process | When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file | Documentation |
| StatefulSet Requests Storage 8cf4671a-cf3d-46fc-8389-21e7405063a2 |
Kubernetes | Low | Build Process | A StatefulSet requests volume storage. | Documentation |
| Pod or Container Without ResourceQuota 48a5beba-e4c0-4584-a2aa-e6894e4cf424 |
Kubernetes | Low | Insecure Configurations | Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume | Documentation |
| Kubelet Hostname Override Is Set bf36b900-b5ef-4828-adb7-70eb543b7cfb |
Kubernetes | Low | Insecure Configurations | Hostnames should not be overrided | Documentation |
| Dashboard Is Enabled d2ad057f-0928-41ef-a83c-f59203bb855b |
Kubernetes | Low | Insecure Configurations | If not needed, disabling the dashboard can prevent from being used as an attack vector | Documentation |
| Service Does Not Target Pod 3ca03a61-3249-4c16-8427-6f8e47dda729 |
Kubernetes | Low | Insecure Configurations | Service should Target a Pod | Documentation |
| Pod or Container Without Security Context a97a340a-0063-418e-b3a1-3028941d0995 |
Kubernetes | Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container | Documentation |
| Pod or Container Without LimitRange 4a20ebac-1060-4c81-95d1-1f7f620e983b |
Kubernetes | Low | Insecure Configurations | Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always caa3479d-885d-4882-9aac-95e5e78ef5c2 |
Kubernetes | Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always | Documentation |
| Image Without Digest 7c81d34c-8e5a-402b-9798-9f442630e678 |
Kubernetes | Low | Insecure Configurations | Images should be specified together with their digests to ensure integrity | Documentation |
| Service Type is NodePort 845acfbe-3e10-4b8e-b656-3b404d36dfb2 |
Kubernetes | Low | Networking and Firewall | Service type should not be NodePort | Documentation |
| Workload Host Port Not Specified 2b1836f1-dcce-416e-8e16-da8c71920633 |
Kubernetes | Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified | Documentation |
| Audit Log Maxsize Not Properly Set 35c0a471-f7c8-4993-aa2c-503a3c712a66 |
Kubernetes | Low | Observability | When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes | Documentation |
| Audit Log Maxbackup Not Properly Set 768aab52-2504-4a2f-a3e3-329d5a679848 |
Kubernetes | Low | Observability | When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files | Documentation |
| Kubelet Event QPS Not Properly Set 1a07a446-8e61-4e4d-bc16-b0781fcb8211 |
Kubernetes | Low | Observability | When using the kubelet command, the '--event-qps' should be set to 0 | Documentation |
| Profiling Not Set To False 2f491173-6375-4a84-b28e-a4e2b9a58a69 |
Kubernetes | Low | Observability | When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false | Documentation |
| Audit Policy Not Cover Key Security Concerns 1828a670-5957-4bc5-9974-47da228f75e2 |
Kubernetes | Low | Observability | Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies | Documentation |
| Audit Log Maxage Not Properly Set da9f3aa8-fbfb-472f-b5a1-576127944218 |
Kubernetes | Low | Observability | When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days | Documentation |
| Container Requests Not Equal To It's Limits aee3c7d2-a811-4201-90c7-11c028be9a46 |
Kubernetes | Low | Resource Management | Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively | Documentation |
| Container CPU Requests Not Equal To It's Limits 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 |
Kubernetes | Low | Resource Management | A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. | Documentation |
| Container Memory Requests Not Equal To It's Limits aafa7d94-62de-4fbf-8838-b69ee217b0e6 |
Kubernetes | Low | Resource Management | A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. | Documentation |
| StatefulSet Has No PodAntiAffinity d740d048-8ed3-49d3-b77b-6f072f3b669e |
Kubernetes | Low | Resource Management | Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| Deployment Has No PodAntiAffinity a31b7b82-d994-48c4-bd21-3bab6c31827a |
Kubernetes | Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| CronJob Deadline Not Configured 192fe40b-b1c3-448a-aba2-6cc19a300fe3 |
Kubernetes | Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined | Documentation |
| Secrets As Environment Variables 3d658f8b-d988-41a0-a841-40043121de1e |
Kubernetes | Low | Secret Management | Container should not use secrets as environment variables | Documentation |
| Invalid Image Tag 583053b7-e632-46f0-b989-f81ff8045385 |
Kubernetes | Low | Supply-Chain | Image tag must be defined and not be empty or equal to latest. | Documentation |
| Ensure Administrative Boundaries Between Resources e84eaf4d-2f45-47b2-abe8-e581b06deb66 |
Kubernetes | Info | Access Control | As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. | Documentation |
| Using Kubernetes Native Secret Management b9c83569-459b-4110-8f79-6305aa33cb37 |
Kubernetes | Info | Secret Management | Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited | Documentation |
| Cloud Storage Anonymous or Publicly Accessible 63ae3638-a38c-4ff4-b616-6e1f72a31a6a |
GoogleDeploymentManager | High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' | Documentation |
| BigQuery Dataset Is Public 83103dff-d57f-42a8-bd81-40abab64c1a7 |
GoogleDeploymentManager | High | Access Control | BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' | Documentation |
| Cloud Storage Bucket Is Publicly Accessible 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc |
GoogleDeploymentManager | High | Access Control | Cloud Storage Bucket is anonymously or publicly accessible | Documentation |
| SQL DB Instance Backup Disabled a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01 |
GoogleDeploymentManager | High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| SQL DB Instance With SSL Disabled 660360d3-9ca7-46d1-b147-3acc4002953f |
GoogleDeploymentManager | High | Encryption | Cloud SQL Database Instance should have SLL enabled | Documentation |
| DNSSEC Using RSASHA1 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35 |
GoogleDeploymentManager | High | Encryption | DNSSEC should not use the RSASHA1 algorithm | Documentation |
| IP Aliasing Disabled 28727987-e398-49b8-aef1-8a3e7789d111 |
GoogleDeploymentManager | High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. | Documentation |
| Cluster Master Authentication Disabled 7ef7d141-9fbb-4679-a977-fd0883436906 |
GoogleDeploymentManager | High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| Cluster Labels Disabled 8810968b-4b15-421d-918b-d91eb4bb8d1d |
GoogleDeploymentManager | High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined | Documentation |
| Private Cluster Disabled 48c61fbd-09c9-46cc-a521-012e0c325412 |
GoogleDeploymentManager | High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. | Documentation |
| Network Policy Disabled c47f90e8-4a19-43f0-8413-cc434d286c4e |
GoogleDeploymentManager | High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false | Documentation |
| GKE Legacy Authorization Enabled df58d46c-783b-43e0-bdd0-d99164f712ee |
GoogleDeploymentManager | High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. | Documentation |
| Client Certificate Disabled dd690686-2bf9-4012-a821-f61912dd77be |
GoogleDeploymentManager | High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true | Documentation |
| MySQL Instance With Local Infile On c759d6f2-4dd3-4160-82d3-89202ef10d87 |
GoogleDeploymentManager | High | Insecure Configurations | MySQL Instance should not have Local Infile On | Documentation |
| Not Proper Email Account In Use a21b8df3-c840-4b3d-a41a-10fb2afda171 |
GoogleDeploymentManager | High | Insecure Configurations | Gmail accounts are being used instead of corporate credentials | Documentation |
| GKE Master Authorized Networks Disabled 62c8cf50-87f0-4295-a974-8184ed78fe02 |
GoogleDeploymentManager | High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters | Documentation |
| Compute Instance Is Publicly Accessible 8212e2d7-e683-49bc-bf78-d6799075c5a7 |
GoogleDeploymentManager | High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. | Documentation |
| Stackdriver Logging Disabled 95601b9a-7fe8-4aee-9b58-d36fd9382dfc |
GoogleDeploymentManager | High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' | Documentation |
| Cloud Storage Bucket Versioning Disabled ad0875c1-0b39-4890-9149-173158ba3bba |
GoogleDeploymentManager | High | Observability | Cloud Storage Bucket should have versioning enabled | Documentation |
| Stackdriver Monitoring Disabled bbfc97ab-e92a-4a7b-954c-e88cec815011 |
GoogleDeploymentManager | High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' | Documentation |
| Node Auto Upgrade Disabled dc5c5fee-6c53-43b0-ab11-4c660e064aaf |
GoogleDeploymentManager | High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true | Documentation |
| Disk Encryption Disabled fc040fb6-4c23-4c0d-b12a-39edac35debb |
GoogleDeploymentManager | Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined | Documentation |
| Cloud DNS Without DNSSEC 313d6deb-3b67-4948-b41d-35b699c2492e |
GoogleDeploymentManager | Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
| Google Storage Bucket Level Access Disabled 1239f54b-33de-482a-8132-faebe288e6a6 |
GoogleDeploymentManager | Medium | Insecure Configurations | Google Storage Bucket Level Access should be enabled | Documentation |
| COS Node Image Not Used dbe058d7-b82e-430b-8426-992b2e4677e7 |
GoogleDeploymentManager | Medium | Insecure Configurations | The node image should be Container-Optimized OS(COS) | Documentation |
| OSLogin Is Disabled In VM Instance e66e1b71-c810-4b4e-a737-0ab59e7f5e41 |
GoogleDeploymentManager | Medium | Insecure Configurations | VM instance should have OSLogin enabled | Documentation |
| Shielded VM Disabled 9038b526-4c19-4928-bca2-c03d503bdb79 |
GoogleDeploymentManager | Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true | Documentation |
| SSH Access Is Not Restricted dee21308-2a7a-49de-8ff7-c9b87e188575 |
GoogleDeploymentManager | Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges | Documentation |
| RDP Access Is Not Restricted 50cb6c3b-c878-4b88-b50e-d1421bada9e8 |
GoogleDeploymentManager | Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 | Documentation |
| IP Forwarding Enabled 7c98538a-81c6-444b-bf04-e60bc3ceeec0 |
GoogleDeploymentManager | Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true | Documentation |
| Bucket Without Versioning 227c2f58-70c6-4432-8e9a-a89c1a548cf5 |
GoogleDeploymentManager | Medium | Observability | Bucket should have versioning enabled | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811 |
GoogleDeploymentManager | Medium | Secret Management | VM Instance should block project-wide SSH keys | Documentation |
| Serving Revision Spec Without Timeout Seconds e8bb41e4-2f24-4e84-8bea-8c7c070cf93d |
Knative | Info | Insecure Configurations | Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service | Documentation |
| UNIX Ports Out Of Range 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e |
Dockerfile | High | Availability | Exposing UNIX ports out of range from 0 to 65535 | Documentation |
| WORKDIR Path Not Absolute 6b376af8-cfe8-49ab-a08d-f32de23661a4 |
Dockerfile | High | Build Process | For clarity and reliability, you should always use absolute paths for your WORKDIR | Documentation |
| Multiple ENTRYPOINT Instructions Listed 6938958b-3f1a-451c-909b-baeee14bdc97 |
Dockerfile | High | Build Process | There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect | Documentation |
| Copy With More Than Two Arguments Not Ending With Slash 6db6e0c2-32a3-4a2e-93b5-72c35f4119db |
Dockerfile | High | Build Process | When a COPY command has more than two arguments, the last one should end with a slash | Documentation |
| COPY '--from' References Current FROM Alias cdddb86f-95f6-4fc4-b5a1-483d9afceb2b |
Dockerfile | High | Build Process | COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself | Documentation |
| Same Alias In Different Froms f2daed12-c802-49cd-afed-fe41d0b82fed |
Dockerfile | High | Build Process | Different FROMS cant have the same alias defined | Documentation |
| Missing User Instruction fd54f200-402c-4333-a5a4-36ef6709af2f |
Dockerfile | High | Build Process | A user should be specified in the dockerfile, otherwise the image will run as root | Documentation |
| Run Using Sudo 8ada6e80-0ade-439e-b176-0b28f6bce35a |
Dockerfile | High | Insecure Configurations | Avoid RUN with sudo command as it leads to unpredictable behavior | Documentation |
| Last User Is 'root' 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae |
Dockerfile | Medium | Best Practices | Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges | Documentation |
| Changing Default Shell Using RUN Command 8a301064-c291-4b20-adcb-403fe7fd95fd |
Dockerfile | Medium | Best Practices | Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. | Documentation |
| Update Instruction Alone 9bae49be-0aa3-4de5-bab2-4c3a069e40cd |
Dockerfile | Medium | Build Process | Instruction 'RUN |
Documentation |
| Not Using JSON In CMD And ENTRYPOINT Arguments b86987e1-6397-4619-81d5-8807f2387c79 |
Dockerfile | Medium | Build Process | Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments | Documentation |
| Multiple CMD Instructions Listed 41c195f4-fc31-4a5c-8a1b-90605538d49f |
Dockerfile | Medium | Build Process | There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect | Documentation |
| RUN Instruction Using 'cd' Instead of WORKDIR f4a6bcd3-e231-4acf-993c-aa027be50d2e |
Dockerfile | Medium | Build Process | When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. | Documentation |
| Shell Running A Pipe Without Pipefail Flag efbf148a-67e9-42d2-ac47-02fa1c0d0b22 |
Dockerfile | Medium | Insecure Defaults | Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). | Documentation |
| Gem Install Without Version 22cd11f7-9c6c-4f6e-84c0-02058120b341 |
Dockerfile | Medium | Supply-Chain | Instead of 'gem install |
Documentation |
| Zypper Install Without Version 562952e4-0348-4dea-9826-44f3a2c6117b |
Dockerfile | Medium | Supply-Chain | Not specifying the package version can cause failures due to unanticipated changes in required packages | Documentation |
| Image Version Using 'latest' f45ea400-6bbe-4501-9fc7-1c3d75c32067 |
Dockerfile | Medium | Supply-Chain | When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag | Documentation |
| Missing Version Specification In dnf install 93d88cf7-f078-46a8-8ddc-178e03aeacf1 |
Dockerfile | Medium | Supply-Chain | Specifying a package version allows to reduce failures due to unanticipated changes in required packages. | Documentation |
| Unpinned Package Version in Pip Install 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc |
Dockerfile | Medium | Supply-Chain | Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes | Documentation |
| NPM Install Command Without Pinned Version e36d8880-3f78-4546-b9a1-12f0745ca0d5 |
Dockerfile | Medium | Supply-Chain | Check if packages installed by npm are pinning a specific version. | Documentation |
| Unpinned Package Version in Apk Add d3499f6d-1651-41bb-a9a7-de925fea487b |
Dockerfile | Medium | Supply-Chain | Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes | Documentation |
| Using Platform Flag with FROM Command b16e8501-ef3c-44e1-a543-a093238099c9 |
Dockerfile | Medium | Supply-Chain | Don't use '--platform' flag with FROM | Documentation |
| Yum Install Allows Manual Input 6e19193a-8753-436d-8a09-76dcff91bb03 |
Dockerfile | Medium | Supply-Chain | Need to use -y to avoid manual input 'yum install -y |
Documentation |
| APT-GET Missing '-y' To Avoid Manual Input 77783205-c4ca-4f80-bb80-c777f267c547 |
Dockerfile | Medium | Supply-Chain | Check if apt-get calls use the flag -y to avoid user manual input. | Documentation |
| Run Using 'wget' and 'curl' fc775e75-fcfb-4c98-b2f2-910c5858b359 |
Dockerfile | Medium | Supply-Chain | Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect | Documentation |
| Yum install Without Version 6452c424-1d92-4deb-bb18-a03e95d579c4 |
Dockerfile | Medium | Supply-Chain | Not specifying the package version can cause failures due to unanticipated changes in required packages | Documentation |
| Missing Dnf Clean All 295acb63-9246-4b21-b441-7c1f1fb62dc0 |
Dockerfile | Medium | Supply-Chain | Cached package data should be cleaned after installation to reduce image size | Documentation |
| Image Version Not Explicit 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd |
Dockerfile | Medium | Supply-Chain | Always tag the version of an image explicitly | Documentation |
| Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e |
Dockerfile | Medium | Supply-Chain | When installing a package, its pin version should be defined | Documentation |
| Missing Zypper Non-interactive Switch 45e1fca5-f90e-465d-825f-c2cb63fa3944 |
Dockerfile | Medium | Supply-Chain | Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input | Documentation |
| Run Using apt b84a0b47-2e99-4c9f-8933-98bcabe2b94d |
Dockerfile | Medium | Supply-Chain | apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache | Documentation |
| Yum Clean All Missing 00481784-25aa-4a55-8633-3136dfcf4f37 |
Dockerfile | Medium | Supply-Chain | Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size | Documentation |
| Add Instead of Copy 9513a694-aa0d-41d8-be61-3271e056f36b |
Dockerfile | Medium | Supply-Chain | Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. | Documentation |
| Missing Flag From Dnf Install 7ebd323c-31b7-4e5b-b26f-de5e9e477af8 |
Dockerfile | Medium | Supply-Chain | The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. | Documentation |
| Pip install Keeping Cached Packages f2f903fb-b977-461e-98d7-b3e2185c6118 |
Dockerfile | Medium | Supply-Chain | When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller | Documentation |
| Missing Zypper Clean 38300d1a-feb2-4a48-936a-d1ef1cd24313 |
Dockerfile | Medium | Supply-Chain | Reduce layer and image size by deleting unneeded caches after running zypper | Documentation |
| Exposing Port 22 (SSH) 5907595b-5b6d-4142-b173-dbb0e73fbff8 |
Dockerfile | Low | Best Practices | Expose only the ports that your application needs and avoid exposing ports like SSH (22) | Documentation |
| MAINTAINER Instruction Being Used 99614418-f82b-4852-a9ae-5051402b741c |
Dockerfile | Low | Best Practices | The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily | Documentation |
| Multiple RUN, ADD, COPY, Instructions Listed 0008c003-79aa-42d8-95b8-1c2fe37dbfe6 |
Dockerfile | Low | Best Practices | Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. | Documentation |
| Curl or Wget Instead of Add 4b410d24-1cbe-4430-a632-62c9a931cf1c |
Dockerfile | Low | Best Practices | Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged | Documentation |
| Chown Flag Exists aa93e17f-b6db-4162-9334-c70334e7ac28 |
Dockerfile | Low | Best Practices | It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership | Documentation |
| Using Unnamed Build Stages 68a51e22-ae5a-4d48-8e87-b01a323605c9 |
Dockerfile | Low | Build Process | This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. | Documentation |
| Healthcheck Instruction Missing b03a748a-542d-44f4-bb86-9199ab4fd2d5 |
Dockerfile | Low | Insecure Configurations | Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working | Documentation |
| APT-GET Not Avoiding Additional Packages 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c |
Dockerfile | Info | Supply-Chain | Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. | Documentation |
| Run Utilities And POSIX Commands 9b6b0f38-92a2-41f9-b881-3a1083d99f1b |
Dockerfile | Info | Supply-Chain | Some POSIX commands and interactive utilities shouldn't run inside a Docker Container | Documentation |
| Apt Get Install Lists Were Not Deleted df746b39-6564-4fed-bf85-e9c44382303c |
Dockerfile | Info | Supply-Chain | After using apt-get install, it is needed to delete apt-get lists | Documentation |
| Apk Add Using Local Cache Path ae9c56a6-3ed1-4ac0-9b54-31267f51151d |
Dockerfile | Info | Supply-Chain | When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' | Documentation |
| Key Vault Not Recoverable 7c25f361-7c66-44bf-9b69-022acd5eb4bd |
AzureResourceManager | High | Backup | Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true | Documentation |
| Azure Instance Using Basic Authentication 6797f581-0433-4768-ae3e-7ceb2f8b138e |
AzureResourceManager | High | Best Practices | Azure Instances should use SSH Key instead of basic authentication | Documentation |
| Secret Without Expiration Date cff9c3f7-e8f0-455f-9fb4-5f72326da96e |
AzureResourceManager | High | Best Practices | All Secrets must have an expiration date defined | Documentation |
| Storage Account Allows Unsecure Transfer 1367dd13-2c90-4020-80b7-e4339a3dc2c4 |
AzureResourceManager | High | Encryption | 'Microsoft.Storage/storageAccounts' should force the use of HTTPS | Documentation |
| Web App Not Using TLS Last Version b5c851d5-00f1-43dc-a8de-3218fd6f71be |
AzureResourceManager | High | Encryption | Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' | Documentation |
| Azure Managed Disk Without Encryption 350f3955-b5be-436f-afaa-3d2be2fa6cdd |
AzureResourceManager | High | Encryption | Azure Disk Encryption should be enabled | Documentation |
| Website Not Forcing HTTPS 488847ff-6031-487c-bf42-98fd6ac5c9a0 |
AzureResourceManager | High | Insecure Configurations | 'Microsoft.Web/sites' should force the use of HTTPS | Documentation |
| Trusted Microsoft Services Not Enabled e25b56cd-a4d6-498f-ab92-e6296a082097 |
AzureResourceManager | High | Networking and Firewall | Trusted Microsoft Services should be enabled for Storage Account access | Documentation |
| SQL Database Server Firewall Allows All IPS 6a3201a5-1630-494b-b294-3129d06b0eca |
AzureResourceManager | High | Networking and Firewall | SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS | Documentation |
| MySQL Server SSL Enforcement Disabled 90120147-f2e7-4fda-bb21-6fa9109afd63 |
AzureResourceManager | High | Networking and Firewall | 'Microsoft.DBforMySQL/servers' should enforce SSL | Documentation |
| PostgreSQL Database Server SSL Disabled bf500309-da53-4dd3-bcf7-95f7974545a5 |
AzureResourceManager | High | Networking and Firewall | Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' | Documentation |
| Website with Client Certificate Auth Disabled 92302b47-b0cc-46cb-a28f-5610ecda140b |
AzureResourceManager | High | Networking and Firewall | 'Microsoft.Web/sites' should have client certificate authentication enabled | Documentation |
| Network Security Group With Unrestricted Access To RDP 59cb3da7-f206-4ae6-b827-7abf0a9cab9d |
AzureResourceManager | High | Networking and Firewall | Port 3389 (Remote Desktop) is exposed to the Internet | Documentation |
| Storage Blob Service Container With Public Access a0ab985d-660b-41f7-ac81-70957ee8e627 |
AzureResourceManager | High | Networking and Firewall | Storage Blob Service Container should not publicly accessible | Documentation |
| Network Security Group With Unrestricted Access To SSH 2ade1579-4b2c-4590-bebb-f99bf597f612 |
AzureResourceManager | High | Networking and Firewall | Port 22 (SSH) is exposed to the Internet | Documentation |
| Role Definitions Allow Custom Subscription Role Creation 8fa9ceea-881f-4ef0-b0b8-728f589699a7 |
AzureResourceManager | Medium | Access Control | Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') | Documentation |
| AKS Cluster RBAC Disabled 9307a2ed-35c2-413d-94de-a1a0682c2158 |
AzureResourceManager | Medium | Access Control | Microsoft.ContainerService/managedClusters should have enableRBAC set to true | Documentation |
| SQL Server Database With Alerts Disabled 574e8d82-1db2-4b9c-b526-e320ede9a9ff |
AzureResourceManager | Medium | Best Practices | All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties | Documentation |
| AKS Cluster Network Policy Not Configured 25c0228e-4444-459b-a2df-93c7df40b7ed |
AzureResourceManager | Medium | Insecure Configurations | Azure Kubernetes Service must have a network policy defined. | Documentation |
| AKS With Authorized IP Ranges Disabled 2583fab1-953b-4fae-bd02-4a136a6c21f9 |
AzureResourceManager | Medium | Networking and Firewall | Azure Kubernetes Service must have an authorized IP range for API Services enabled | Documentation |
| PostgreSQL Database Server Log Connections Disabled e69bda39-e1e2-47ca-b9ee-b6531b23aedd |
AzureResourceManager | Medium | Networking and Firewall | Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' | Documentation |
| Standard Price Is Not Selected 2081c7d6-2851-4cce-bda5-cb49d462da42 |
AzureResourceManager | Medium | Networking and Firewall | Azure Security Center provides more features for standard pricing mode, so it must be activated. | Documentation |
| PostgreSQL Database Server Log Checkpoints Disabled f9112910-c7bb-4864-9f5e-2059ba413bb7 |
AzureResourceManager | Medium | Networking and Firewall | Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' | Documentation |
| PostgresSQL Database Server Connection Throttling Disabled a6d774b6-d9ea-4bf4-8433-217bf15d2fb8 |
AzureResourceManager | Medium | Networking and Firewall | Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' | Documentation |
| Log Profile Incorrect Category 4d522e7b-f938-4d51-a3b1-974ada528bd3 |
AzureResourceManager | Medium | Observability | Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' | Documentation |
| AKS Logging To Azure Monitoring Is Disabled 9b09dee1-f09b-4013-91d2-158fa4695f4b |
AzureResourceManager | Medium | Observability | Azure Kubernetes Service should have logging to Azure Monitoring enabled. | Documentation |
| SQL Server Database With Unrecommended Retention Days c09cdac2-7670-458a-bf6c-efad6880973a |
AzureResourceManager | Medium | Observability | SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days | Documentation |
| SQL Server Database Without Auditing e055285c-bc01-48b4-8aa5-8a54acdd29df |
AzureResourceManager | Medium | Observability | Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled | Documentation |
| Unrecommended Log Profile Retention Policy 25684eac-daaa-4c2c-94b4-8d2dbb627909 |
AzureResourceManager | Medium | Observability | Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) | Documentation |
| Unrecommended Network Watcher Flow Log Retention Policy 564b70f8-41cd-4690-aff8-bb53add86bc9 |
AzureResourceManager | Medium | Observability | Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 | Documentation |
| Storage Logging For Read Write And Delete Requests Disabled 43f6e60c-9cdb-4e77-864d-a66595d26518 |
AzureResourceManager | Medium | Observability | Storage Logging should be enabled for read, write and delete methods | Documentation |
| Hardcoded SecureString Parameter Default Value 4d2cf896-c053-4be5-9c95-8b4771112f29 |
AzureResourceManager | Medium | Secret Management | Secure parameters should not have hardcoded default value | Documentation |
| Website Azure Active Directory Disabled e9c133e5-c2dd-4b7b-8fff-40f2de367b56 |
AzureResourceManager | Low | Access Control | WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' | Documentation |
| Phone Number Not Set For Security Contacts 3e9fcc67-1f64-405f-b2f9-0a6be17598f0 |
AzureResourceManager | Low | Best Practices | Microsoft.Security securityContacts should have a phone number defined | Documentation |
| AKS Dashboard Is Enabled c62d3b92-9a11-4ffd-b7b7-6faaae83faed |
AzureResourceManager | Low | Insecure Configurations | Azure Kubernetes Service should have the Kubernetes dashboard disabled. | Documentation |
| Website with 'Http20Enabled' Disabled 70111098-7f85-48f0-b1b4-e4261cf5f61b |
AzureResourceManager | Low | Networking and Firewall | 'Microsoft.Web/sites' should have 'Http20Enabled' enabled | Documentation |
| Storage Account Allows Default Network Access 9073f073-5d60-4b46-b569-0d6baa80ed95 |
AzureResourceManager | Low | Networking and Firewall | 'Microsoft.Storage/storageAccounts' should force the use of HTTPS | Documentation |
| App Service Authentication Is Not Set 83130a07-235b-4a80-918b-a370e53f0bd9 |
AzureResourceManager | Info | Access Control | Azure App Service should have App Service Authentication set | Documentation |
| Account Admins Not Notified By Email a8852cc0-fd4b-4fc7-9372-1e43fad0732e |
AzureResourceManager | Info | Best Practices | Account admins should be notified by email in the event of security alerts | Documentation |
| SQL Alert Policy Without Emails 89b79fe5-49bd-4d39-84ce-55f5fc6f7764 |
AzureResourceManager | Info | Best Practices | SQL Database Server should contain emails to be notified in the event of a Security Alert | Documentation |
| Email Notifications Disabled 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92 |
AzureResourceManager | Info | Networking and Firewall | Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription | Documentation |
| Admin User Enabled For Container Registry 29f35127-98e6-43af-8ec1-201b79f99604 |
Ansible | High | Access Control | Admin user is enabled for Container Registry | Documentation |
| Public Storage Account 35e2f133-a395-40de-a79d-b260d973d1bd |
Ansible | High | Access Control | Storage Account should not be public to grant the principle of least privileges | Documentation |
| Storage Container Is Publicly Accessible 4d3817db-dd35-4de4-a80d-3867157e7f7f |
Ansible | High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage | Documentation |
| Storage Account Not Forcing HTTPS 2c99a474-2a3c-4c17-8294-53ffa5ed0522 |
Ansible | High | Encryption | Storage Accounts should enforce the use of HTTPS | Documentation |
| MySQL SSL Connection Disabled 2a901825-0f3b-4655-a0fe-e0470e50f8e6 |
Ansible | High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled | Documentation |
| SSL Enforce Disabled 961ce567-a16d-4d7d-9027-f0ec2628a555 |
Ansible | High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' | Documentation |
| Azure Container Registry With No Locks 581dae78-307d-45d5-aae4-fe2b0db267a5 |
Ansible | High | Insecure Configurations | Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined | Documentation |
| Web App Accepting Traffic Other Than HTTPS eb8c2560-8bee-4248-9d0d-e80c8641dd91 |
Ansible | High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. | Documentation |
| VM Not Attached To Network 1e5f5307-3e01-438d-8da6-985307ed25ce |
Ansible | High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine | Documentation |
| AD Admin Not Configured For SQL Server b176e927-bbe2-44a6-a9c3-041417137e5f |
Ansible | High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server | Documentation |
| CosmosDB Account IP Range Filter Not Set e8c80448-31d8-4755-85fc-6dbab69c2717 |
Ansible | High | Networking and Firewall | The IP range filter should be defined to secure the data stored | Documentation |
| Trusted Microsoft Services Not Enabled 1bc398a8-d274-47de-a4c8-6ac867b353de |
Ansible | High | Networking and Firewall | Trusted Microsoft Services should be enabled for Storage Account access | Documentation |
| Sensitive Port Is Exposed To Entire Network 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc |
Ansible | High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| SQLServer Ingress From Any IP f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 |
Ansible | High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. | Documentation |
| Redis Publicly Accessible 0632d0db-9190-450a-8bb3-c283bffea445 |
Ansible | High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources | Documentation |
| Redis Entirely Accessible 0d0c12b9-edce-4510-9065-13f6a758750c |
Ansible | High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet | Documentation |
| AKS RBAC Disabled 149fa56c-4404-4f90-9e25-d34b676d5b39 |
Ansible | Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled | Documentation |
| Role Definition Allows Custom Role Creation 5c80db8e-03f5-43a2-b4af-1f3f87018157 |
Ansible | Medium | Access Control | Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) | Documentation |
| Key Vault Soft Delete Is Disabled 881696a8-68c5-4073-85bc-7c38a3deb854 |
Ansible | Medium | Backup | Make sure Soft Delete is enabled for Key Vault | Documentation |
| SQL Server Predictable Admin Account Name 663062e9-473d-4e87-99bc-6f3684b3df40 |
Ansible | Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict | Documentation |
| SQL Server Predictable Active Directory Account Name 530e8291-2f22-4bab-b7ea-306f1bc2a308 |
Ansible | Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict | Documentation |
| Cosmos DB Account Without Tags 23a4dc83-4959-4d99-8056-8e051a82bc1e |
Ansible | Medium | Build Process | Cosmos DB Account must have a mapping of tags. | Documentation |
| Storage Account Not Using Latest TLS Encryption Version c62746cf-92d5-4649-9acf-7d48d086f2ee |
Ansible | Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption | Documentation |
| Security Group is Not Configured da4f2739-174f-4cdd-b9ef-dc3f14b5931f |
Ansible | Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty | Documentation |
| AKS Network Policy Misconfigured 8c3bedf1-c570-4c3b-b414-d068cd39a00c |
Ansible | Medium | Insecure Configurations | Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined | Documentation |
| Redis Cache Allows Non SSL Connections 869e7fb4-30f0-4bdb-b360-ad548f337f2f |
Ansible | Medium | Insecure Configurations | Redis Cache resources should not allow non-SSL connections | Documentation |
| Default Network Access is Allowed 974e6fe7-63fd-4fa4-aa72-77b21a4a959d |
Ansible | Medium | Insecure Defaults | Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' | Documentation |
| Unrestricted SQL Server Access 3f23c96c-f9f5-488d-9b17-605b8da5842f |
Ansible | Medium | Networking and Firewall | Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' | Documentation |
| WAF Is Disabled For Azure Application Gateway 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 |
Ansible | Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. | Documentation |
| Firewall Rule Allows Too Many Hosts To Access Redis Cache 69f72007-502e-457b-bd2d-5012e31ac049 |
Ansible | Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache. | Documentation |
| PostgreSQL Log Connections Not Set 7b47138f-ec0e-47dc-8516-e7728fe3cc17 |
Ansible | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' | Documentation |
| PostgreSQL Log Duration Not Set 729ebb15-8060-40f7-9017-cb72676a5487 |
Ansible | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' | Documentation |
| AKS Monitoring Logging Disabled d5e83b32-56dd-4247-8c2e-074f43b38a5e |
Ansible | Medium | Observability | Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring | Documentation |
| Log Retention Is Not Set 0461b4fd-21ef-4687-929e-484ee4796785 |
Ansible | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' | Documentation |
| Monitoring Log Profile Without All Activities 89f84a1e-75f8-47c5-83b5-bee8e2de4168 |
Ansible | Medium | Observability | Monitoring log profile captures all the activities (Action, Write, Delete) | Documentation |
| PostgreSQL Log Checkpoints Disabled 7ab33ac0-e4a3-418f-a673-50da4e34df21 |
Ansible | Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' | Documentation |
| PostgreSQL Log Disconnections Not Set 054d07b5-941b-4c28-8eef-18989dc62323 |
Ansible | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' | Documentation |
| PostgreSQL Server Without Connection Throttling a9becca7-892a-4af7-b9e1-44bf20a4cd9a |
Ansible | Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server | Documentation |
| Small Activity Log Retention Period 37fafbea-dedb-4e0d-852e-d16ee0589326 |
Ansible | Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater | Documentation |
| S3 Bucket Allows List Action From All Principals d395a950-12ce-4314-a742-ac5a785ab44e |
Ansible | High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. | Documentation |
| SNS Topic is Publicly Accessible 905f4741-f965-45c1-98db-f7a00a0e5c73 |
Ansible | High | Access Control | SNS Topic Policy should not allow any principal to access | Documentation |
| S3 Bucket With All Permissions 6a6d7e56-c913-4549-b5c5-5221e624d2ec |
Ansible | High | Access Control | S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. | Documentation |
| IAM Policy Grants Full Permissions b5ed026d-a772-4f07-97f9-664ba0b116f8 |
Ansible | High | Access Control | IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. | Documentation |
| S3 Bucket Allows Put Action From All Principals a0f1bfe0-741e-473f-b3b2-13e66f856fab |
Ansible | High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. | Documentation |
| ECS Service Admin Role Is Present 7db727c1-1720-468e-b80e-06697f71e09e |
Ansible | High | Access Control | ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role | Documentation |
| S3 Bucket Allows Delete Action From All Principals 6fa44721-ef21-41c6-8665-330d59461163 |
Ansible | High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. | Documentation |
| Authentication Without MFA eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 |
Ansible | High | Access Control | Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 75480b31-f349-4b9a-861f-bce19588e674 |
Ansible | High | Access Control | S3 Buckets should not be readable to any authenticated user | Documentation |
| IAM Policies With Full Privileges e401d614-8026-4f4b-9af9-75d1197461ba |
Ansible | High | Access Control | IAM policies shouldn't allow full administrative privileges (for all resources) | Documentation |
| S3 Bucket ACL Allows Read to All Users a1ef9d2e-4163-40cb-bd92-04f0d602a15d |
Ansible | High | Access Control | S3 Buckets should not be readable to all users | Documentation |
| S3 Bucket Allows Get Action From All Principals 53bce6a8-5492-4b1b-81cf-664385f0c4bf |
Ansible | High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. | Documentation |
| S3 Bucket Access to Any Principal 3ab1f27d-52cc-4943-af1d-43c1939e739a |
Ansible | High | Access Control | Checks if the S3 bucket is accessible for all users | Documentation |
| SQS Queue Exposed 86b0efa7-4901-4edd-a37a-c034bec6645a |
Ansible | High | Access Control | Checks if the SQS Queue is exposed | Documentation |
| User Data Shell Script Is Encoded 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 |
Ansible | High | Encryption | User Data Shell Script must be encoded | Documentation |
| S3 Bucket Without Server-side-encryption 594f54e7-f744-45ab-93e4-c6dbaf6cd571 |
Ansible | High | Encryption | AWS S3 Storage should be protected with SSE (Server-Side Encryption) | Documentation |
| ECS Task Definition Container With Plaintext Password 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 |
Ansible | High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
| IAM Database Auth Not Enabled 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 |
Ansible | High | Encryption | IAM Database Auth Enabled should be configured to true when using compatible engine and version | Documentation |
| User Data Contains Encoded Private Key c09f4d3e-27d2-4d46-9453-abbe9687a64e |
Ansible | High | Encryption | User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily | Documentation |
| Redis Not Compliant 9f34885e-c08f-4d13-a7d1-cf190c5bd268 |
Ansible | High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements | Documentation |
| Secure Ciphers Disabled 218413a0-c716-4b94-9e08-0bb70d854709 |
Ansible | High | Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
| Viewer Protocol Policy Allows HTTP a6d27cf7-61dc-4bde-ae08-3b353b609f76 |
Ansible | High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
| ELB Using Insecure Protocols 730a5951-2760-407a-b032-dd629b55c23a |
Ansible | High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. | Documentation |
| CA Certificate Identifier Is Outdated 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce |
Ansible | High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. | Documentation |
| Redshift Not Encrypted 6a647814-def5-4b85-88f5-897c19f509cd |
Ansible | High | Encryption | AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) | Documentation |
| S3 Bucket SSE Disabled 309edc5b-5a59-42b4-a357-d4d098311fd4 |
Ansible | High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
| EFS Without KMS bd77554e-f138-40c5-91b2-2a09f878608e |
Ansible | High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys | Documentation |
| ELB Using Weak Ciphers 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 |
Ansible | High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. | Documentation |
| AMI Not Encrypted 97707503-a22c-4cd7-b7c0-f088fa7cf830 |
Ansible | High | Encryption | AWS AMI Encryption is not enabled | Documentation |
| DB Instance Storage Not Encrypted 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff |
Ansible | High | Encryption | AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. | Documentation |
| Kinesis Not Encrypted With KMS f2ea6481-1d31-4d40-946a-520dc6321dd7 |
Ansible | High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS | Documentation |
| Launch Configuration Is Not Encrypted 66477506-6abb-49ed-803d-3fa174cd5f6a |
Ansible | High | Encryption | AWS Autoscaling Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume | Documentation |
| EFS Not Encrypted 727c4fd4-d604-4df6-a179-7713d3c85e20 |
Ansible | High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
| EC2 Group Has Public Interface 5330b503-3319-44ff-9b1c-00ee873f728a |
Ansible | High | Insecure Configurations | The CIDR IP should not be a public interface | Documentation |
| DB Instance Publicly Accessible c09e3ca5-f08a-4717-9c87-3919c5e6d209 |
Ansible | High | Insecure Configurations | RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 d0c13053-d2c8-44a6-95da-d592996e9e67 |
Ansible | High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
| ECS Task Definition Network Mode Not Recommended 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f |
Ansible | High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
| KMS Key With Vulnerable Policy 5b9d237a-57d5-4177-be0e-71434b0fef47 |
Ansible | High | Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
| S3 Bucket with Unsecured CORS Rule 3505094c-f77c-4ba0-95da-f83db712f86c |
Ansible | High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure | Documentation |
| Redshift Publicly Accessible 5c6b727b-1382-4629-8ba9-abd1365e5610 |
Ansible | High | Insecure Configurations | AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) | Documentation |
| Batch Job Definition With Privileged Container Properties defe5b18-978d-4722-9325-4d1975d3699f |
Ansible | High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties | Documentation |
| Root Account Has Active Access Keys e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 |
Ansible | High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
| Vulnerable Default SSL Certificate fb8f8929-afeb-4c46-99f0-a6cf410f7df4 |
Ansible | High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. | Documentation |
| Unrestricted Security Group Ingress 83c5fa4c-e098-48fc-84ee-0a537287ddd2 |
Ansible | High | Networking and Firewall | Security groups allow ingress from 0.0.0.0/0 | Documentation |
| EC2 Instance Has Public IP a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 |
Ansible | High | Networking and Firewall | EC2 Instance should not have a public IP address. | Documentation |
| DB Security Group With Public Scope 0956aedf-6a7a-478b-ab56-63e2b19923ad |
Ansible | High | Networking and Firewall | The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it | Documentation |
| Default Security Groups With Unrestricted Traffic 8010e17a-00e9-4635-a692-90d6bcec68bd |
Ansible | High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
| Route53 Record Undefined 445dce51-7e53-4e50-80ef-7f94f14169e4 |
Ansible | High | Networking and Firewall | Route53 Record should have a list of records | Documentation |
| HTTP Port Open To Internet a14ad534-acbe-4a8e-9404-2f7e1045646e |
Ansible | High | Networking and Firewall | The HTTP port is open to the internet in a Security Group | Documentation |
| Security Group Ingress Not Restricted ea6bc7a6-d696-4dcf-a788-17fa03c17c81 |
Ansible | High | Networking and Firewall | AWS Security Group should restrict ingress access | Documentation |
| DB Security Group Open To Large Scope ea0ed1c7-9aef-4464-b7c7-94c762da3640 |
Ansible | High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. | Documentation |
| Unknown Port Exposed To Internet 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b |
Ansible | High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
| ALB Listening on HTTP f81d63d2-c5d7-43a4-a5b5-66717a41c895 |
Ansible | High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
| RDS Associated with Public Subnet 16732649-4ff6-4cd2-8746-e72c13fae4b8 |
Ansible | High | Networking and Firewall | RDS should not run in public subnet | Documentation |
| Security Group With Unrestricted Access To SSH 57ced4b9-6ba4-487b-8843-b65562b90c77 |
Ansible | High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
| Remote Desktop Port Open To Internet eda7301d-1f3e-47cf-8d4e-976debc64341 |
Ansible | High | Networking and Firewall | The Remote Desktop port is open to the internet in a Security Group | Documentation |
| Public Port Wide 71ea648a-d31a-4b5a-a589-5674243f1c33 |
Ansible | High | Networking and Firewall | AWS Security Group should not have public port wide | Documentation |
| Configuration Aggregator to All Regions Disabled a2fdf451-89dd-451e-af92-bf6c0f4bab96 |
Ansible | High | Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
| CloudTrail Logging Disabled d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 |
Ansible | High | Observability | Checks if logging is enabled for CloudTrail. | Documentation |
| CMK Rotation Disabled af96d737-0818-4162-8c41-40d969bd65d1 |
Ansible | High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. | Documentation |
| ECR Repository Is Publicly Accessible fb5a5df7-6d74-4243-ab82-ff779a958bfd |
Ansible | Medium | Access Control | Amazon ECR image repositories shouldn't have public access | Documentation |
| S3 Bucket With Public Access c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 |
Ansible | Medium | Access Control | S3 Bucket allows public access | Documentation |
| SQS Policy Allows All Actions ed9b3beb-92cf-44d9-a9d2-171eeba569d4 |
Ansible | Medium | Access Control | SQS policy allows ALL (*) actions | Documentation |
| API Gateway Without Configured Authorizer b16cdb37-ce15-4ab2-8401-d42b05d123fc |
Ansible | Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer | Documentation |
| SQS Policy With Public Access d994585f-defb-4b51-b6d2-c70f020ceb10 |
Ansible | Medium | Access Control | Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue | Documentation |
| Public Lambda via API Gateway 5e92d816-2177-4083-85b4-f61b4f7176d9 |
Ansible | Medium | Access Control | Allowing to run lambda function using public API Gateway | Documentation |
| IAM Access Key Is Exposed 7f79f858-fbe8-4186-8a2c-dfd0d958a40f |
Ansible | Medium | Access Control | Check if IAM Access Key is active for some user besides 'root' | Documentation |
| Certificate Has Expired 5a443297-19d4-4381-9e5b-24faf947ec22 |
Ansible | Medium | Access Control | Expired SSL/TLS certificates should be removed | Documentation |
| Lambda Permission Principal Is Wildcard 1d972c56-8ec2-48c1-a578-887adb09c57a |
Ansible | Medium | Access Control | Lambda Permission Principal should not contain a wildcard. | Documentation |
| AMI Shared With Multiple Accounts a19b2942-142e-4e2b-93b7-6cf6a6c8d90f |
Ansible | Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image | Documentation |
| SES Policy With Allowed IAM Actions 8ed0bfce-f780-46d4-b086-21c3628f09ad |
Ansible | Medium | Access Control | SES policy should not allow IAM actions to all principals | Documentation |
| IAM Policies Attached To User eafe4bc3-1042-4f88-b988-1939e64bf060 |
Ansible | Medium | Access Control | IAM policies should be attached only to groups or roles | Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA af167837-9636-4086-b815-c239186b9dda |
Ansible | Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access | Documentation |
| CMK Is Unusable 133fee21-37ef-45df-a563-4d07edc169f4 |
Ansible | Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. | Documentation |
| Auto Scaling Group With No Associated ELB 050f085f-a8db-4072-9010-2cca235cc02f |
Ansible | Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. | Documentation |
| ECS Service Without Running Tasks f5c45127-1d28-4b49-a692-0b97da1c3a84 |
Ansible | Medium | Availability | ECS Service should have at least 1 task running | Documentation |
| Stack Retention Disabled 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 |
Ansible | Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
| RDS With Backup Disabled e69890e6-fce5-461d-98ad-cb98318dfc96 |
Ansible | Medium | Backup | Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup | Documentation |
| Misconfigured Password Policy Expiration 3f2cf811-88fa-4eda-be45-7a191a18aba9 |
Ansible | Medium | Best Practices | No password expiration policy | Documentation |
| IAM Password Without Lowercase Letter 8e3063f4-b511-45c3-b030-f3b0c9131951 |
Ansible | Medium | Best Practices | IAM Password should have at least one lowercase letter | Documentation |
| IAM Password Without Number 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 |
Ansible | Medium | Best Practices | IAM user resource Login Profile Password should have at least one number | Documentation |
| Password Without Reuse Prevention 6f5f5444-1422-495f-81ef-24cefd61ed2c |
Ansible | Medium | Best Practices | Password policy password_reuse_prevention doesn't exist or is equal to 0 |
Documentation |
| IAM Password Without Uppercase Letter 83957b81-39c1-4191-8e12-671d2ce14354 |
Ansible | Medium | Best Practices | IAM password should have at least one uppercase letter | Documentation |
| IAM Password Without Minimum Length 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d |
Ansible | Medium | Best Practices | IAM password should have the required minimum length | Documentation |
| Stack Without Template 32d31f1f-0f83-4721-b7ec-1e6948c60145 |
Ansible | Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body | Documentation |
| CodeBuild Not Encrypted a1423864-2fbc-4f46-bfe1-fbbf125c71c9 |
Ansible | Medium | Encryption | CodeBuild Project should be encrypted | Documentation |
| Memcached Disabled 2d55ef88-b616-4890-b822-47f280763e89 |
Ansible | Medium | Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
| EBS Volume Encryption Disabled 4b6012e7-7176-46e4-8108-e441785eae57 |
Ansible | Medium | Encryption | EBS volumes should be encrypted | Documentation |
| Config Rule For Encrypted Volumes Disabled 7674a686-e4b1-4a95-83d4-1fd53c623d84 |
Ansible | Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
| SQS With SSE Disabled e1e7b278-2a8b-49bd-a26e-66a7f70b17eb |
Ansible | Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) | Documentation |
| ECR Image Tag Not Immutable 60bfbb8a-c72f-467f-a6dd-a46b7d612789 |
Ansible | Medium | Insecure Configurations | ECR should have an image tag be immutable. This prevents image tags from being overwritten. | Documentation |
| Lambda Function Without Tags 265d9725-2fb8-42a2-bc57-3279c5db82d5 |
Ansible | Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. | Documentation |
| AWS Password Policy With Unchangeable Passwords e28ceb92-d588-4166-aac5-766c8f5b7472 |
Ansible | Medium | Insecure Configurations | Unchangeable passwords in AWS password policy | Documentation |
| API Gateway Without SSL Certificate b47b98ab-e481-4a82-8bb1-1ab39fd36e33 |
Ansible | Medium | Insecure Configurations | SSL Client Certificate should be enabled | Documentation |
| Certificate RSA Key Bytes Lower Than 256 d5ec2080-340a-4259-b885-f833c4ea6a31 |
Ansible | Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes | Documentation |
| Instance With No VPC 61d1a2d0-4db8-405a-913d-5d2ce49dff6f |
Ansible | Medium | Insecure Configurations | EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | Documentation |
| API Gateway Endpoint Config is Not Private 559439b2-3e9c-4739-ac46-17e3b24ec215 |
Ansible | Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet | Documentation |
| API Gateway without WAF f5f38943-664b-4acc-ab11-f292fa10ed0b |
Ansible | Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled | Documentation |
| SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 7af1c447-c014-4f05-bd8b-ebe3a15734ac |
Ansible | Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. | Documentation |
| API Gateway With CloudWatch Logging Disabled 72a931c2-12f5-40d1-93cc-47bff2f7aa2a |
Ansible | Medium | Observability | AWS CloudWatch Logs for APIs is not enabled | Documentation |
| S3 Bucket Without Versioning 9232306a-f839-40aa-b3ef-b352001da9a5 |
Ansible | Medium | Observability | S3 bucket should have versioning enabled | Documentation |
| CloudTrail Not Integrated With CloudWatch ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 |
Ansible | Medium | Observability | CloudTrail should be integrated with CloudWatch | Documentation |
| CloudTrail SNS Topic Name Undefined 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 |
Ansible | Medium | Observability | Check if SNS topic name is set for CloudTrail | Documentation |
| CloudFront Logging Disabled d31cb911-bf5b-4eb6-9fc3-16780c77c7bd |
Ansible | Medium | Observability | AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true | Documentation |
| API Gateway X-Ray Disabled 2059155b-27fd-441e-b616-6966c468561f |
Ansible | Medium | Observability | API Gateway should have X-Ray Tracing enabled | Documentation |
| CloudTrail Multi Region Disabled 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 |
Ansible | Medium | Observability | CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true | Documentation |
| CloudWatch Without Retention Period Specified e24e18d9-4c2b-4649-b3d0-18c088145e24 |
Ansible | Medium | Observability | AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events | Documentation |
| Stack Notifications Disabled d39761d7-94ab-45b0-ab5e-27c44e381d58 |
Ansible | Medium | Observability | AWS CloudFormation should have stack notifications enabled to be notified when an event occurs | Documentation |
| S3 Bucket Logging Disabled c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d |
Ansible | Medium | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable | Documentation |
| No Stack Policy ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 |
Ansible | Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions | Documentation |
| Hardcoded AWS Access Key c2f15af3-66a0-4176-a56e-e4711e502e5c |
Ansible | Medium | Secret Management | AWS Access Key should not be hardcoded | Documentation |
| Hardcoded AWS Access Key In Lambda f34508b9-f574-4330-b42d-88c44cced645 |
Ansible | Medium | Secret Management | Lambda access/secret keys should not be hardcoded | Documentation |
| IAM Group Without Users f509931b-bbb0-443c-bd9b-10e92ecf2193 |
Ansible | Low | Access Control | IAM Group should have at least one user associated | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services 12a7a7ce-39d6-49dd-923d-aeb4564eb66c |
Ansible | Low | Access Control | IAM Policy should not grant 'AssumeRole' permission across all services. | Documentation |
| IAM Role Allows All Principals To Assume babdedcf-d859-43da-9a7b-6d72e661a8fd |
Ansible | Low | Access Control | IAM role allows all services or principals to assume it | Documentation |
| EC2 Instance Using Default Security Group 8d03993b-8384-419b-a681-d1f55149397c |
Ansible | Low | Access Control | EC2 instances should not use default security group(s) | Documentation |
| CDN Configuration Is Missing b25398a2-0625-4e61-8e4d-a1bb23905bf6 |
Ansible | Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. | Documentation |
| Lambda Permission Misconfigured 3ddf3417-424d-420d-8275-0724dc426520 |
Ansible | Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
| Automatic Minor Upgrades Disabled 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 |
Ansible | Low | Best Practices | RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. | Documentation |
| EFS Without Tags b8a9852c-9943-4973-b8d5-77dae9352851 |
Ansible | Low | Build Process | Amazon Elastic Filesystem should have filesystem tags associated | Documentation |
| CloudTrail Log Files Not Encrypted With KMS f5587077-3f57-4370-9b4e-4eb5b1bac85b |
Ansible | Low | Encryption | Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail | Documentation |
| RDS Using Default Port 2cb674f6-32f9-40be-97f2-62c0dc38f0d5 |
Ansible | Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 | Documentation |
| ElastiCache Without VPC 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f |
Ansible | Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) | Documentation |
| ElastiCache Using Default Port 7cc6c791-5f68-4816-a564-b9b699f9d26e |
Ansible | Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 | Documentation |
| EC2 Instance Using Default VPC 8833f180-96f1-46f4-9147-849aafa56029 |
Ansible | Low | Networking and Firewall | EC2 Instances should not be configured under a default VPC network | Documentation |
| CloudFront Without WAF 22c80725-e390-4055-8d14-a872230f6607 |
Ansible | Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
| Redshift Using Default Port e01de151-a7bd-4db4-b49b-3c4775a5e881 |
Ansible | Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port | Documentation |
| Lambda Functions Without X-Ray Tracing 71397b34-1d50-4ee1-97cb-c96c34676f74 |
Ansible | Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' | Documentation |
| CloudTrail Log File Validation Disabled 4d8681a2-3d30-4c89-8070-08acd142748e |
Ansible | Low | Observability | CloudTrail log file validation should be enabled to determine whether a log file has not been tampered | Documentation |
| EC2 Not EBS Optimized 338b6cab-961d-4998-bb49-e5b6a11c9a5c |
Ansible | Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance | Documentation |
| VM With Full Cloud Access bc20bbc6-0697-4568-9a73-85af1dd97bdd |
Ansible | High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs | Documentation |
| Cloud Storage Anonymous or Publicly Accessible 086031e1-9d4a-4249-acb3-5bfe4c363db2 |
Ansible | High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' | Documentation |
| BigQuery Dataset Is Public 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 |
Ansible | High | Access Control | BigQuery dataset is anonymously or publicly accessible | Documentation |
| SQL DB Instance Backup Disabled 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 |
Ansible | High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| SQL DB Instance With SSL Disabled d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb |
Ansible | High | Encryption | Cloud SQL Database Instance should have SLL enabled | Documentation |
| DNSSEC Using RSASHA1 6cf4c3a7-ceb0-4475-8892-3745b84be24a |
Ansible | High | Encryption | DNSSEC should not use the RSASHA1 algorithm | Documentation |
| IP Aliasing Disabled ed672a9f-fbf0-44d8-a47d-779501b0db05 |
Ansible | High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. | Documentation |
| Cluster Master Authentication Disabled 9df7f78f-ebe3-432e-ac3b-b67189c15518 |
Ansible | High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| PostgreSQL Misconfigured Logging Duration Flag aed98a2a-e680-497a-8886-277cea0f4514 |
Ansible | High | Insecure Configurations | PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' | Documentation |
| Cluster Labels Disabled fbe9b2d0-a2b7-47a1-a534-03775f3013f7 |
Ansible | High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined | Documentation |
| Private Cluster Disabled 3b30e3d6-c99b-4318-b38f-b99db74578b5 |
Ansible | High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. | Documentation |
| SQL DB Instance Publicly Accessible 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b |
Ansible | High | Insecure Configurations | Cloud SQL instances should not be publicly accessible. | Documentation |
| Cloud SQL Instance With Contained Database Authentication On 6d34aff3-fdd2-460c-8190-756a3b4969e8 |
Ansible | High | Insecure Configurations | SQL Instance should not have Contained Database Authentication On | Documentation |
| Network Policy Disabled 98e04ca0-34f5-4c74-8fec-d2e611ce2790 |
Ansible | High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false | Documentation |
| GKE Legacy Authorization Enabled 300a9964-b086-41f7-9378-b6de3ba1c32b |
Ansible | High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. | Documentation |
| Client Certificate Disabled 20180133-a0d0-4745-bfe0-94049fbb12a9 |
Ansible | High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true | Documentation |
| Cloud SQL Instance With Cross DB Ownership Chaining On 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f |
Ansible | High | Insecure Configurations | GCP SQL Instance should not have Cross DB Ownership Chaining On | Documentation |
| GKE Basic Authentication Enabled 344bf8ab-9308-462b-a6b2-697432e40ba1 |
Ansible | High | Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty | Documentation |
| MySQL Instance With Local Infile On a7b520bb-2509-4fb0-be05-bc38f54c7a4c |
Ansible | High | Insecure Configurations | MySQL Instance should not have Local Infile On | Documentation |
| GKE Master Authorized Networks Disabled d43366c5-80b0-45de-bbe8-2338f4ab0a83 |
Ansible | High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters | Documentation |
| Compute Instance Is Publicly Accessible 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 |
Ansible | High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. | Documentation |
| Stackdriver Logging Disabled 19c9e2a0-fc33-4264-bba1-e3682661e8f7 |
Ansible | High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' | Documentation |
| PostgreSQL Log Connections Disabled d7a5616f-0a3f-4d43-bc2b-29d1a183e317 |
Ansible | High | Observability | PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' | Documentation |
| Cloud Storage Bucket Versioning Disabled 7814ddda-e758-4a56-8be3-289a81ded929 |
Ansible | High | Observability | Cloud Storage Bucket should have versioning enabled | Documentation |
| PostgreSQL Logging Of Temporary Files Disabled d6fae5b6-ada9-46c0-8b36-3108a2a2f77b |
Ansible | High | Observability | PostgreSQL database 'log_temp_files' flag isn't set to '0' | Documentation |
| Stackdriver Monitoring Disabled 20dcd953-a8b8-4892-9026-9afa6d05a525 |
Ansible | High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' | Documentation |
| Cloud Storage Bucket Logging Not Enabled 507df964-ad97-4035-ab14-94a82eabdfdd |
Ansible | High | Observability | Cloud storage bucket should have logging enabled | Documentation |
| Node Auto Upgrade Disabled d6e10477-2e19-4bcd-b8a8-19c65b89ccdf |
Ansible | High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters | Documentation |
| Google Compute SSL Policy Weak Cipher In Use b28bcd2f-c309-490e-ab7c-35fc4023eb26 |
Ansible | Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
| Disk Encryption Disabled 092bae86-6105-4802-99d2-99cd7e7431f3 |
Ansible | Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined | Documentation |
| Cloud DNS Without DNSSEC 80b15fb1-6207-40f4-a803-6915ae619a03 |
Ansible | Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
| Shielded VM Disabled 18d3a83d-4414-49dc-90ea-f0387b2856cc |
Ansible | Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true | Documentation |
| Using Default Service Account 2775e169-e708-42a9-9305-b58aadd2c4dd |
Ansible | Medium | Insecure Configurations | Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. | Documentation |
| Google Container Node Pool Auto Repair Disabled d58c6f24-3763-4269-9f5b-86b2569a003b |
Ansible | Medium | Insecure Configurations | Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. | Documentation |
| OSLogin Is Disabled In VM Instance 66dae697-507b-4aef-be18-eec5bd707f33 |
Ansible | Medium | Insecure Configurations | VM instance should have OSLogin enabled | Documentation |
| GKE Using Default Service Account dc126833-125a-40fb-905a-ce5f2afde240 |
Ansible | Medium | Insecure Defaults | Kubernetes Engine Clusters should not be configured to use the default service account | Documentation |
| SSH Access Is Not Restricted b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 |
Ansible | Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges | Documentation |
| Google Compute Network Using Default Firewall Rule 29b8224a-60e9-4011-8ac2-7916a659841f |
Ansible | Medium | Networking and Firewall | Google Compute Network should not use default firewall rule | Documentation |
| RDP Access Is Not Restricted 75418eb9-39ec-465f-913c-6f2b6a80dc77 |
Ansible | Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 | Documentation |
| IP Forwarding Enabled 11bd3554-cd56-4257-8e25-7aaf30cf8f5f |
Ansible | Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true | Documentation |
| Serial Ports Are Enabled For VM Instances c6fc6f29-dc04-46b6-99ba-683c01aff350 |
Ansible | Medium | Networking and Firewall | Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone | Documentation |
| Google Compute Network Using Firewall Rule that Allows All Ports 3602d273-3290-47b2-80fa-720162b1a8af |
Ansible | Medium | Networking and Firewall | Google Compute Network should not use a firewall rule that allows all ports | Documentation |
| PostgreSQL Misconfigured Log Messages Flag 28a757fc-3d8f-424a-90c0-4233363b2711 |
Ansible | Medium | Observability | PostgreSQL database 'log_min_messages' flag isn't set to a valid value | Documentation |
| PostgreSQL log_checkpoints Flag Not Set To ON 89afe3f0-4681-4ce3-89ed-896cebd4277c |
Ansible | Medium | Observability | PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' | Documentation |
| COS Node Image Not Used be41f891-96b1-4b9d-b74f-b922a918c778 |
Ansible | Medium | Resource Management | The node image should be Container-Optimized OS(COS) | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 099b4411-d11e-4537-a0fc-146b19762a79 |
Ansible | Medium | Secret Management | VM Instance should block project-wide SSH keys | Documentation |
| High KMS Rotation Period 79f45008-60b3-4a0a-a302-8311fd3701b4 |
Ansible | Medium | Secret Management | KMS Rotation Period should be greater than 365 days. | Documentation |
| High Google KMS Crypto Key Rotation Period f9b7086b-deb8-4034-9330-d7fd38f1b8de |
Ansible | Medium | Secret Management | Encryption keys should be changed after 90 days | Documentation |
| Google Compute Network Using Firewall Rule that Allows Port Range 7289eebd-a477-4064-8ad4-3c044bd70b00 |
Ansible | Low | Networking and Firewall | Google Compute Network should not use a firewall rule that allows port range | Documentation |
| Google Compute Subnetwork with Private Google Access Disabled 6a4080ae-79bd-42f6-a924-8f534c1c018b |
Ansible | Low | Networking and Firewall | Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes | Documentation |
| Run Using apt a1bc27c6-7115-48d8-bf9d-5a7e836845ba |
Buildah | Medium | Supply-Chain | apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache | Documentation |
| Storage Account Not Forcing HTTPS cb8e4bf0-903d-45c6-a278-9a947d82a27b |
Pulumi | High | Encryption | Storage Accounts should enforce the use of HTTPS | Documentation |
| Redis Cache Allows Non SSL Connections 49e30ac8-f58e-4222-b488-3dcb90158ec1 |
Pulumi | Medium | Encryption | Redis Cache resource should not allow non-SSL connections. | Documentation |
| PSP Set To Privileged ee305555-6b1d-4055-94cf-e22131143c34 |
Pulumi | Medium | Insecure Configurations | Do not allow pod to request execution as privileged. | Documentation |
| Missing App Armor Config 95588189-1abd-4df1-9588-b0a5034f9e87 |
Pulumi | Low | Access Control | Containers should be configured with AppArmor for any application to reduce its potential attack | Documentation |
| ElastiCache Nodes Not Created Across Multi AZ 9b18fc19-7fb8-49b1-8452-9c757c70f926 |
Pulumi | Medium | Availability | ElastiCache Nodes should have 'AZMode' set to 'cross-az' in in multi nodes cluster | Documentation |
| ElastiCache Redis Cluster Without Backup e93bbe63-a631-4c0f-b6ef-700d48441ff2 |
Pulumi | Medium | Backup | ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 | Documentation |
| IAM Password Without Lowercase Letter de92dd34-1b88-43e8-b825-6e02d73c4549 |
Pulumi | Medium | Best Practices | IAM Password should have at least one lowercase letter | Documentation |
| IAM Password Without Minimum Length 9850d621-7485-44f7-8bdd-b3cf426315cf |
Pulumi | Medium | Best Practices | IAM password should have the required minimum length | Documentation |
| DynamoDB Table Not Encrypted b6a7e0ae-aed8-4a19-a993-a95760bf8836 |
Pulumi | Medium | Encryption | AWS DynamoDB Tables should have serverSideEncryption enabled | Documentation |
| API Gateway Without SSL Certificate f27791a5-e2ae-4905-8910-6f995c576d09 |
Pulumi | Medium | Insecure Configurations | SSL Client Certificate should be defined | Documentation |
| API Gateway Access Logging Disabled bf4b48b9-fc1f-4552-984a-4becdb5bf503 |
Pulumi | Medium | Observability | API Gateway should have Access Log Settings defined | Documentation |
| DynamoDB Table Point In Time Recovery Disabled 327b0729-4c5c-4c44-8b5c-e476cd9c7290 |
Pulumi | Info | Best Practices | It's considered a best practice to have point in time recovery enabled for DynamoDB Table | Documentation |
| EC2 Not EBS Optimized d991e4ae-42ab-429b-ab43-d5e5fa9ca633 |
Pulumi | Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance | Documentation |
| EC2 Instance Monitoring Disabled daa581ef-731c-4121-832d-cf078f67759d |
Pulumi | Info | Observability | EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods | Documentation |
| Cloud Storage Bucket Logging Not Enabled 48f7e44d-d1d1-44c2-b336-9f11b65c4fb0 |
Pulumi | High | Observability | Cloud storage bucket should have logging enabled | Documentation |
| Google Compute SSL Policy Weak Cipher In Use 965e8830-2bec-4b9b-a7f0-24dbc200a68f |
Pulumi | Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
| Enum Name Not CamelCase daaace5f-c0dc-4835-b526-7a116b7f4b4e |
GRPC | Low | Best Practices | All Enum Names should follow CamelCase and start with Capital Letter | Documentation |
| Security Definitions Undefined or Empty e3f026e8-fdb4-4d5a-bcfd-bd94452073fe |
OpenAPI | High | Access Control | Security Definitions Object should be set and not empty | Documentation |
| Non OAuth2 Security Requirement Defining OAuth2 Scopes ba239cb9-f342-4c20-812d-7b5a2aa6969e |
OpenAPI | High | Structure and Semantics | If the security scheme is not of type 'oauth2', the array value must be empty | Documentation |
| Security Requirement Not Defined In Security Definition a599b0d1-ff89-4cb8-9ece-9951854c06f6 |
OpenAPI | High | Structure and Semantics | All security requirement objects must be defined in 'securityDefinitions' | Documentation |
| Operation Using Password Flow 2e44e632-d617-43cb-b294-6bfe72a08938 |
OpenAPI | Medium | Access Control | Operation Object should not use 'password' Flow in OAuth2 authentication | Documentation |
| Implicit Flow in OAuth2 (v2) e9817ad8-a8c9-4038-8a2f-db0e6e7b284b |
OpenAPI | Medium | Access Control | There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated | Documentation |
| Invalid OAuth2 Authorization URL (v2) 33d96c65-977d-4c33-943f-440baca49185 |
OpenAPI | Medium | Access Control | The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL | Documentation |
| Global Security Using Password Flow 2da46be4-4317-4650-9285-56d7103c4f93 |
OpenAPI | Medium | Access Control | Security should not use 'password' Flow in OAuth2 authentication | Documentation |
| Security Definitions Allows Password Flow 773116aa-2e6d-416f-bd85-f0301cc05d76 |
OpenAPI | Medium | Access Control | Security Definition Object should not allow 'password' Flow in OAuth2 authentication | Documentation |
| Invalid OAuth2 Token URL (v2) 274f910a-0665-4f08-b66d-7058fe927dba |
OpenAPI | Medium | Access Control | OAuth2 security definition flow requires a valid URL in the tokenUrl field | Documentation |
| Global Schemes Uses HTTP f30ee711-0082-4480-85ab-31d922d9a2b2 |
OpenAPI | Medium | Encryption | Global Schemes should use 'https' protocol instead of 'http' | Documentation |
| Path Scheme Accepts HTTP (v2) a6847dc6-f4ea-45ac-a81f-93291ae6c573 |
OpenAPI | Medium | Encryption | The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection | Documentation |
| Schemes Uses HTTP a46928f1-43d7-4671-94e0-2dd99746f389 |
OpenAPI | Medium | Encryption | Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials | Documentation |
| Operation Object Without 'produces' be3e170e-1572-461e-a8b6-d963def581ec |
OpenAPI | Medium | Insecure Configurations | Operation Object should have 'produces' feild defined for 'GET'operation | Documentation |
| Operation Object Without 'consumes' 0c79e50e-b3cf-490c-b8f6-587c644d4d0c |
OpenAPI | Medium | Insecure Configurations | Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations | Documentation |
| Undefined Scope 'securityDefinition' On 'security' Field On Operations 3847280c-9193-40bc-8009-76168e822ce2 |
OpenAPI | Low | Access Control | Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker | Documentation |
| Operation Using Implicit Flow f42dfe7e-787d-4478-a75e-a5f3d8a2269e |
OpenAPI | Low | Access Control | Operation Object should not use implicit flow | Documentation |
| Undefined Scope 'securityDefinition' On Global 'security' Field 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f |
OpenAPI | Low | Access Control | Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker | Documentation |
| Security Definitions Using Basic Auth 221015a8-aa2a-43f5-b00b-ad7d2b1d47a8 |
OpenAPI | Low | Access Control | Security Definition Object should not use basic authentication | Documentation |
| Operation Using Basic Auth ceefb058-8065-418f-9c4c-584a78c7e104 |
OpenAPI | Low | Access Control | Operation Object should not use basic authentication | Documentation |
| Operation Summary Too Long d47940ca-5970-45cc-bdd1-4d81398cee1f |
OpenAPI | Low | Best Practices | Operation summary should be short (less than 120 characters) | Documentation |
| Schema with 'additionalProperties' set as Boolean 3a01790c-ebee-4da6-8fd3-e78657383b75 |
OpenAPI | Info | Best Practices | The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it | Documentation |
| Global Schema Definition Not Being Used 6d2e0790-cc3d-4c74-b973-d4e8b09f4455 |
OpenAPI | Info | Best Practices | All global schemas definitions should be in use | Documentation |
| Unknown Prefix (v2) 3b615f00-c443-4ba9-acc4-7c308716917d |
OpenAPI | Info | Best Practices | The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' | Documentation |
| Invalid Media Type Value (v2) f985a7d2-d404-4a7f-9814-f645f791e46e |
OpenAPI | Info | Best Practices | The Media Type value should match the following format: |
Documentation |
| Global Responses Definition Not Being Used 0b76d993-ee52-43e0-8b39-3787d2ddabf1 |
OpenAPI | Info | Best Practices | All global responses definitions should be in use | Documentation |
| Global Parameter Definition Not Being Used b30981fa-a12e-49c7-a5bb-eeafb61d0f0f |
OpenAPI | Info | Best Practices | All global parameters definitions should be in use | Documentation |
| Constraining Enum Property be1d8733-3731-40c7-a845-734741c6871d |
OpenAPI | Info | Best Practices | There is a constraining keyword in a property which is already restricted by enum values | Documentation |
| Schema JSON Reference Does Not Exists (v2) 98295b32-ec09-4b5b-89a9-39853197f914 |
OpenAPI | Info | Structure and Semantics | Schema reference should exists on definitions field | Documentation |
| Non Body Parameter Without Schema 73c3bc54-3cc6-4c0a-b30a-e19f2abfc951 |
OpenAPI | Info | Structure and Semantics | The Body Parameter Object should have the attribute 'schema' defined | Documentation |
| Operation Object Parameters With 'body' And 'formatData' locations eb3f9744-d24e-4614-b1ff-2a9514eca21c |
OpenAPI | Info | Structure and Semantics | Operation object parameters should not have both 'body' and 'formatData' locations | Documentation |
| Object Without Required Property (v2) 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275 |
OpenAPI | Info | Structure and Semantics | OpenAPI Object should contain all of its required fields | Documentation |
| BasePath With Wrong Format b4803607-ed72-4d60-99e2-3fa6edf471c6 |
OpenAPI | Info | Structure and Semantics | The 'basePath' value format must match the pattern '^/' | Documentation |
| Multi 'collectionformat' Not Valid For 'in' Parameter 750f6448-27c0-49f8-a153-b81735c1e19c |
OpenAPI | Info | Structure and Semantics | When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' | Documentation |
| Parameter Object With Incorrect Ref (v2) 2596545e-1757-4ff7-a15a-8a9a180a42f3 |
OpenAPI | Info | Structure and Semantics | Parameter Object reference must always point to '#/parameters' | Documentation |
| Property Not Unique 750b40be-4bac-4f59-bdc4-1ca0e6c3450e |
OpenAPI | Info | Structure and Semantics | Every defined property must be unique throughout the whole API | Documentation |
| Body Parameter With Wrong Property c38d630d-a415-4e3e-bac2-65475979ba88 |
OpenAPI | Info | Structure and Semantics | The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' | Documentation |
| Host With Invalid Pattern 3d7d7b6c-fb0a-475e-8a28-c125e30d15f0 |
OpenAPI | Info | Structure and Semantics | Host field should be an IP or a valid host name | Documentation |
| Schema Object Incorrect Ref (v2) 0220e1c5-65d1-49dd-b7c2-cef6d6cb5283 |
OpenAPI | Info | Structure and Semantics | Schema Object reference must always point to '#/definitions' | Documentation |
| Operation Example Mismatch Produces MimeType 2cf35b40-ded3-43d6-9633-c8dcc8bcc822 |
OpenAPI | Info | Structure and Semantics | Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' | Documentation |
| Multiple Body Parameters In The Same Operation b90033cf-ad9f-4fb9-acd1-1b9d6d278c87 |
OpenAPI | Info | Structure and Semantics | Only one body parameter is allowed on operation's parameters type field | Documentation |
| Body Parameter Without Schema ed48229d-d43e-4da7-b453-5f98d964a57a |
OpenAPI | Info | Structure and Semantics | The Body Parameter Object should have the attribute 'schema' defined | Documentation |
| File Parameter With Wrong Consumes Property 7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a |
OpenAPI | Info | Structure and Semantics | Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both | Documentation |
| Responses JSON Reference Does Not Exists (v2) e9db5fb4-6a84-4abb-b4af-3b94fbdace6d |
OpenAPI | Info | Structure and Semantics | Responses reference should exist on responses definition field | Documentation |
| Parameter File Type Not In 'formData' c3cab8c4-6c52-47a9-942b-c27f26fbd7d2 |
OpenAPI | Info | Structure and Semantics | The In field of Parameter Object must be 'formData' when type is 'file' | Documentation |
| Response Object With Incorrect Ref (v2) bccfa089-89e4-47e0-a0e5-185fe6902220 |
OpenAPI | Info | Structure and Semantics | Response Object reference must always point to '#/responses' | Documentation |
| Unknown Property (v2) 429b2106-ba37-43ba-9727-7f699cc611e1 |
OpenAPI | Info | Structure and Semantics | All properties defined in OpenAPI objects should be known | Documentation |
| Parameter JSON Reference Does Not Exists (v2) fb889ae9-2d16-40b5-b41f-9da716c5abc1 |
OpenAPI | Info | Structure and Semantics | Parameter reference should exist on parameters definition field | Documentation |
| Security Field On Operations Has An Empty Object Definition (v2) 74581e3b-1d55-4323-a139-5959a7b3abc5 |
OpenAPI | High | Access Control | Security object for operations should not be empty object or has any empty object definition | Documentation |
| Security Field On Operations Has An Empty Object Definition (v3) baade968-7467-41e4-bf22-83ca222f5800 |
OpenAPI | High | Access Control | Security object for operations should not be empty object or has any empty object definition | Documentation |
| Global Security Field Has An Empty Array (v2) da31d54b-ad54-41dc-95eb-8b3828629213 |
OpenAPI | High | Access Control | Security object need to have defined rules in its array and rules should be defined on securityScheme | Documentation |
| Global Security Field Has An Empty Array (v3) d674aea4-ba8b-454b-bb97-88a772ea33f0 |
OpenAPI | High | Access Control | Security object need to have defined rules in its array and rules should be defined on securityScheme | Documentation |
| Global security field has an empty object (v2) 292919fb-7b26-4454-bee9-ce29094768dd |
OpenAPI | High | Access Control | Global security definition must not have empty objects | Documentation |
| Global security field has an empty object (v3) 543e38f4-1eee-479e-8eb0-15257013aa0a |
OpenAPI | High | Access Control | Global security definition must not have empty objects | Documentation |
| Cleartext API Key In Operation Security (v2) 99733b39-6413-4ed8-8acf-dc7cdc9b4e51 |
OpenAPI | High | Access Control | API Keys should not be sent as cleartext over an unencrypted channel | Documentation |
| Cleartext API Key In Operation Security (v3) d90d4e40-44c1-4125-87a0-e072c3e195b5 |
OpenAPI | High | Access Control | API Keys should not be sent as cleartext over an unencrypted channel | Documentation |
| Global Security Field Is Undefined (v2) 74703c89-0ea2-49ab-a7db-bf04f19f5a57 |
OpenAPI | High | Access Control | Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions | Documentation |
| Global Security Field Is Undefined (v3) 8af270ce-298b-4405-9922-82a10aee7a4f |
OpenAPI | High | Access Control | Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes | Documentation |
| Security Field On Operations Has An Empty Array (v2) 5d29effc-5d68-481f-9721-d74e5919226b |
OpenAPI | High | Access Control | Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error | Documentation |
| Security Field On Operations Has An Empty Array (v3) 663c442d-f918-4f62-b096-0bf5dcbeb655 |
OpenAPI | High | Access Control | Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error | Documentation |
| No Global And Operation Security Defined (v2) 586abcee-9653-462d-ad7b-2638a32bd6e6 |
OpenAPI | High | Access Control | All paths should have security scheme, if it is omitted, global security field should be defined | Documentation |
| No Global And Operation Security Defined (v3) 96729c6b-7400-4d9e-9807-17f00cdde4d2 |
OpenAPI | High | Access Control | All paths should have security scheme, if it is omitted, global security field should be defined | Documentation |
| Array Items Has No Type (v2) 8697a1a4-82c6-4603-8ac8-57529756744e |
OpenAPI | High | Insecure Configurations | Schema/Parameter array items type should be defined | Documentation |
| Array Items Has No Type (v3) be0e0df7-f3d9-42a1-9b6f-d425f94872c4 |
OpenAPI | High | Insecure Configurations | Schema array items type should be defined | Documentation |
| Array Without Maximum Number of Items (v2) 99eb2c95-2040-4104-9e7c-e16f7474d218 |
OpenAPI | High | Insecure Configurations | Array schema/parameter should have the field 'maxItems' set | Documentation |
| Array Without Maximum Number of Items (v3) 6998389e-66b2-473d-8d05-c8d71ac4d04d |
OpenAPI | High | Insecure Configurations | Array schema should have the field 'maxItems' set | Documentation |
| Cleartext API Key In Global Security (v2) 70d3873e-d537-46e5-ac3b-4e48fbdd29b4 |
OpenAPI | Medium | Access Control | API Keys should not be sent as cleartext over an unencrypted channel | Documentation |
| Cleartext API Key In Global Security (v3) 9c238c97-1991-4c0b-9c7d-6c7912e1dc7c |
OpenAPI | Medium | Access Control | API Keys should not be sent as cleartext over an unencrypted channel | Documentation |
| API Key Exposed In Global Security (v2) 533a0d13-6e89-4551-ae33-bce14e5849c1 |
OpenAPI | Medium | Access Control | API Keys should not be transported over network | Documentation |
| API Key Exposed In Global Security (v3) aecee30b-8ea1-4776-a99c-d6d600f0862f |
OpenAPI | Medium | Access Control | API Keys should not be transported over network | Documentation |
| String Schema with Broad Pattern (v2) e4a019f0-9af3-49c8-bf68-1939a6ff240d |
OpenAPI | Medium | Insecure Configurations | String schema should restrict the pattern | Documentation |
| String Schema with Broad Pattern (v3) 8c81d6c0-716b-49ec-afa5-2d62da4e3f3c |
OpenAPI | Medium | Insecure Configurations | String schema should restrict the pattern | Documentation |
| Numeric Schema Without Format (v2) 3ed8fc82-c2bb-49e0-811f-c53923674c49 |
OpenAPI | Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'format' defined. | Documentation |
| Numeric Schema Without Format (v3) fbf699b5-ef74-4542-9cf1-f6eeac379373 |
OpenAPI | Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'format' defined. | Documentation |
| Maximum Length Undefined (v2) 2ec86e48-ab90-4cb6-a131-0502afd1f442 |
OpenAPI | Medium | Insecure Configurations | String schema/parameter/header should have 'maxLength' defined. | Documentation |
| Maximum Length Undefined (v3) 8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85 |
OpenAPI | Medium | Insecure Configurations | String schema should have 'maxLength' defined. | Documentation |
| JSON Object Schema Without Type (v2) 62d52544-82ef-4b75-8308-cad49d50212b |
OpenAPI | Medium | Insecure Configurations | Schema of the JSON object should have 'type' defined. | Documentation |
| JSON Object Schema Without Type (v3) e2ffa504-d22a-4c94-b6c5-f661849d2db7 |
OpenAPI | Medium | Insecure Configurations | Schema of the JSON object should have 'type' defined. | Documentation |
| Pattern Undefined (v2) afde15cf-9444-4126-8c62-41cd79db1d1d |
OpenAPI | Medium | Insecure Configurations | String schema/parameter/header should have 'pattern' defined. | Documentation |
| Pattern Undefined (v3) 00b78adf-b83f-419c-8ed8-c6018441dd3a |
OpenAPI | Medium | Insecure Configurations | String schema should have 'pattern' defined. | Documentation |
| Numeric Schema Without Minimum (v2) efd1dfc8-da91-4909-a3f3-c23abc5ec799 |
OpenAPI | Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. | Documentation |
| Numeric Schema Without Minimum (v3) 181bd815-767e-4e95-a24d-bb3c87328e19 |
OpenAPI | Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. | Documentation |
| Numeric Schema Without Maximum (v2) 203eee11-15b6-4d47-b888-4c7f534967ee |
OpenAPI | Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. | Documentation |
| Numeric Schema Without Maximum (v3) 2ea04bef-c769-409e-9179-ee3a50b5c0ac |
OpenAPI | Medium | Insecure Configurations | Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. | Documentation |
| Schema Object is Empty (v2) 967575e5-eb44-4c24-aadb-7e33608ed30a |
OpenAPI | Medium | Insecure Configurations | The Schema Object should not be empty to avoid accepting any JSON values | Documentation |
| Schema Object is Empty (v3) 500ce696-d501-41dd-86eb-eceb011a386f |
OpenAPI | Medium | Insecure Configurations | The Schema Object should not be empty to avoid accepting any JSON values | Documentation |
| JSON Object Schema Without Properties (v2) 3d28f751-bc18-4f83-ace0-216b6086410b |
OpenAPI | Medium | Insecure Configurations | Schema of the JSON object should have properties defined and 'additionalProperties' set to false. | Documentation |
| JSON Object Schema Without Properties (v3) 9d967a2b-9d64-41a6-abea-dfc4960299bd |
OpenAPI | Medium | Insecure Configurations | Schema of the JSON object should have properties defined and 'additionalProperties' set to false. | Documentation |
| Response on operations that should not have a body has declared content (v2) 268defd2-2839-4e15-8cbc-de86eb38c231 |
OpenAPI | Medium | Networking and Firewall | If a response is head or its code is 204 or 304, it shouldn't have a schema defined | Documentation |
| Response on operations that should not have a body has declared content (v3) 12a7210b-f4b4-47d0-acac-0a819e2a0ca3 |
OpenAPI | Medium | Networking and Firewall | If a response is head or its code is 204 or 304, it shouldn't have a content defined | Documentation |
| Default Response Undefined On Operations (v2) 5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f |
OpenAPI | Medium | Networking and Firewall | Operations responses should have a default response defined | Documentation |
| Default Response Undefined On Operations (v3) 86e3702f-c868-44b2-b61d-ea5316c18110 |
OpenAPI | Medium | Networking and Firewall | Operations responses should have a default response defined | Documentation |
| Response on operations that should have a body has undefined schema (v2) 31afbcb7-70e0-48bb-a31a-3374f95cf859 |
OpenAPI | Medium | Networking and Firewall | If a response is not head or its code is not 204 or 304, it should have a schema defined | Documentation |
| Response on operations that should have a body has undefined schema (v3) a92be1d5-d762-484a-86d6-8cd0907ba100 |
OpenAPI | Medium | Networking and Firewall | If a response is not head or its code is not 204 or 304, it should have a schema defined | Documentation |
| Success Response Code Undefined for Put Operation (v2) 965a043f-5f3c-4d0a-be72-d9ce12fdb4d6 |
OpenAPI | Medium | Networking and Firewall | Put should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Undefined for Put Operation (v3) 60b5f56b-66ff-4e1c-9b62-5753e16825bc |
OpenAPI | Medium | Networking and Firewall | Put should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Undefined for Delete Operation (v2) ad432855-b7fb-4429-92a3-93b5ce34f0b1 |
OpenAPI | Medium | Networking and Firewall | Delete should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Undefined for Delete Operation (v3) 3b497874-ae59-46dd-8d72-1868a3b8f150 |
OpenAPI | Medium | Networking and Firewall | Delete should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Undefined for Patch Operation (v2) f36e87cc-a209-4f37-8571-66833e4aead7 |
OpenAPI | Medium | Networking and Firewall | Patch should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Undefined for Patch Operation (v3) 1908a8ee-927d-4166-8f18-241152170cc1 |
OpenAPI | Medium | Networking and Firewall | Patch should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Undefined for Post Operation (v2) 9fedee41-2e6d-4091-b011-4a16b4c18c70 |
OpenAPI | Medium | Networking and Firewall | Post should define at least one success response (200, 201, 202 or 204) | Documentation |
| Success Response Code Undefined for Post Operation (v3) f368dd2d-9344-4146-a05b-7c6faa1269ad |
OpenAPI | Medium | Networking and Firewall | Post should define at least one success response (200, 201, 202 or 204) | Documentation |
| Response Code Missing (v2) 6e96ed39-bf45-4089-99ba-f1fe7cf6966f |
OpenAPI | Medium | Networking and Firewall | 500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. | Documentation |
| Response Code Missing (v3) 6c35d2c6-09f2-4e5c-a094-e0e91327071d |
OpenAPI | Medium | Networking and Firewall | 500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. | Documentation |
| Success Response Code Undefined for Head Operation (v2) 4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a |
OpenAPI | Medium | Networking and Firewall | Head should define at least one success response (200 or 202) | Documentation |
| Success Response Code Undefined for Head Operation (v3) 3b066059-f411-4554-ac8d-96f32bff90da |
OpenAPI | Medium | Networking and Firewall | Head should define at least one success response (200 or 202) | Documentation |
| Success Response Code Undefined for Get Operation (v2) 9b633f3b-c94b-4fbb-a65b-1a4e9134fb63 |
OpenAPI | Medium | Networking and Firewall | Get should define at least one success response (200 or 202) | Documentation |
| Success Response Code Undefined for Get Operation (v3) b2f275be-7d64-4064-b418-be6b431363a7 |
OpenAPI | Medium | Networking and Firewall | Get should define at least one success response (200 or 202) | Documentation |
| API Key Exposed In Operation Security (v2) 392599e4-a4e2-403d-bc56-3fe05755782d |
OpenAPI | Low | Access Control | API Keys should not be transported over network | Documentation |
| API Key Exposed In Operation Security (v3) 281b8071-6226-4a43-911d-fec246d422c2 |
OpenAPI | Low | Access Control | API Keys should not be transported over network | Documentation |
| Invalid Format (v2) caf1793e-95dd-4b18-8d90-8f3c0ab5bddf |
OpenAPI | Low | Insecure Configurations | The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double | Documentation |
| Invalid Format (v3) d929c031-078f-4241-b802-e224656ad890 |
OpenAPI | Low | Insecure Configurations | The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double | Documentation |
| Invalid Tag External Documentation URL (v2) b4a7d925-738b-4219-99d9-87d6ee262a03 |
OpenAPI | Info | Best Practices | Tag External Documentation URL should be a valid URL | Documentation |
| Invalid Tag External Documentation URL (v3) 5aea1d7e-b834-4749-b143-2c7ec3bd5922 |
OpenAPI | Info | Best Practices | Tag External Documentation URL should be a valid URL | Documentation |
| Invalid Contact URL (v2) c7000383-16d0-4509-8cd3-585e5ea2e2f2 |
OpenAPI | Info | Best Practices | Contact Object URL should be a valid URL | Documentation |
| Invalid Contact URL (v3) 332cf2ad-380d-4b90-b436-46f8e635cf38 |
OpenAPI | Info | Best Practices | Contact Object URL should be a valid URL | Documentation |
| Operation Without Successful HTTP Status Code (v2) a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2 |
OpenAPI | Info | Best Practices | Operation Object should have at least one successful HTTP status code defined | Documentation |
| Operation Without Successful HTTP Status Code (v3) 48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd |
OpenAPI | Info | Best Practices | Operation Object should have at least one successful HTTP status code defined | Documentation |
| Object Using Enum With Keyword (v2) 7f15962a-d862-451c-ac9b-84ec13747aa6 |
OpenAPI | Info | Best Practices | Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords | Documentation |
| Object Using Enum With Keyword (v3) 2e9b6612-8f69-42e0-a5b8-ed17739c2f3a |
OpenAPI | Info | Best Practices | Schema Object properties should not contain 'enum' and schema keywords | Documentation |
| Header Parameter Named as 'Accept' (v2) 3ddd74cc-6582-486c-8b0c-2b48cb38e0a3 |
OpenAPI | Info | Best Practices | The header Parameter should not be named as 'Accept'. If so, it will be ignored. | Documentation |
| Header Parameter Named as 'Accept' (v3) f2702af5-6016-46cb-bbc8-84c766032095 |
OpenAPI | Info | Best Practices | The header Parameter should not be named as 'Accept'. If so, it will be ignored. | Documentation |
| Invalid Operation External Documentation URL (v2) 25635c31-ee32-4708-88e5-fced87516f51 |
OpenAPI | Info | Best Practices | Operation External Documentation URL should be a valid URL | Documentation |
| Invalid Operation External Documentation URL (v3) 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb |
OpenAPI | Info | Best Practices | Operation External Documentation URL should be a valid URL | Documentation |
| Invalid Global External Documentation URL (v2) 46d3b74d-9fe9-45bf-9e9e-efb7f701ee28 |
OpenAPI | Info | Best Practices | Global External Documentation URL should be a valid URL | Documentation |
| Invalid Global External Documentation URL (v3) b2d9dbf6-539c-4374-a1fd-210ddf5563a8 |
OpenAPI | Info | Best Practices | Global External Documentation URL should be a valid URL | Documentation |
| Invalid License URL (v2) de2b4910-8484-46d6-a055-dc1e793ee3ff |
OpenAPI | Info | Best Practices | License Object URL should be a valid URL | Documentation |
| Invalid License URL (v3) 9239c289-9e4c-4d92-8be1-9d506057c971 |
OpenAPI | Info | Best Practices | License Object URL should be a valid URL | Documentation |
| Header Parameter Named as 'Authorization' (v2) e2e00c97-7171-4fb4-b461-d631df9a711c |
OpenAPI | Info | Best Practices | The header Parameter should not be named as 'Authorization'. If so, it will be ignored. | Documentation |
| Header Parameter Named as 'Authorization' (v3) 8c84f75e-5048-4926-a4cb-33e7b3431300 |
OpenAPI | Info | Best Practices | The header Parameter should not be named as 'Authorization'. If so, it will be ignored. | Documentation |
| Header Response Name Is Invalid (v2) 86733e01-a435-4bd5-a8b0-5108be9dc1e4 |
OpenAPI | Info | Best Practices | The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. | Documentation |
| Header Response Name Is Invalid (v3) d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd |
OpenAPI | Info | Best Practices | The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. | Documentation |
| Path Without Operation (v2) 609cd557-66b4-41fa-8edd-2abc6c7cfd08 |
OpenAPI | Info | Best Practices | Path object should have at least one operation object defined | Documentation |
| Path Without Operation (v3) 84c826c9-1893-4b34-8cdd-db97645b4bf3 |
OpenAPI | Info | Best Practices | Path object should have at least one operation object defined | Documentation |
| Header Parameter Named as 'Content-Type' (v2) 51978067-3b22-4c29-aaf3-96bf0bc28897 |
OpenAPI | Info | Best Practices | The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. | Documentation |
| Header Parameter Named as 'Content-Type' (v3) 72d259ca-9741-48dd-9f62-eb11f2936b37 |
OpenAPI | Info | Best Practices | The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. | Documentation |
| Required Property With Default Value (v2) f7ab6c83-ef89-40e1-8a99-32e2599fb665 |
OpenAPI | Info | Best Practices | Required properties receive value from requests, which makes unnecessary declare a default value | Documentation |
| Required Property With Default Value (v3) 013bdb4b-9246-4248-b0c3-7fb0fee42a29 |
OpenAPI | Info | Best Practices | Required properties receive value from requests, which makes unnecessary declare a default value | Documentation |
| Invalid Contact Email (v2) d83bebc8-4e5e-4241-b783-cba9fb5a1c9a |
OpenAPI | Info | Best Practices | Contact Object Email should be a valid email | Documentation |
| Invalid Contact Email (v3) b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7 |
OpenAPI | Info | Best Practices | Contact Object Email should be a valid email | Documentation |
| Example Not Compliant With Schema Type (v2) 448db771-06ea-4dee-b48c-1689cbfb4b43 |
OpenAPI | Info | Best Practices | Examples values and fields should be compliant with the schema type | Documentation |
| Example Not Compliant With Schema Type (v3) 881a6e71-c2a7-4fe2-b9c3-dfcf08895331 |
OpenAPI | Info | Best Practices | Examples values and fields should be compliant with the schema type | Documentation |
| Invalid Schema External Documentation URL (v2) f7fa95b7-d819-484c-9a2b-665dd1bba25e |
OpenAPI | Info | Best Practices | Schema External Documentation URL should be a valid URL | Documentation |
| Invalid Schema External Documentation URL (v3) 6952a7e0-6e48-4285-bbc1-27c64e60f888 |
OpenAPI | Info | Best Practices | Schema External Documentation URL should be a valid URL | Documentation |
| JSON '$ref' alongside other properties (v2) f34c1c68-4773-4df0-a103-6e2ca32e585f |
OpenAPI | Info | Best Practices | Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key | Documentation |
| JSON '$ref' alongside other properties (v3) 96beb800-566f-49a9-a0ea-dbdf4bc80429 |
OpenAPI | Info | Best Practices | Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key | Documentation |
| Parameter Objects Headers With Duplicated Name (v2) bd2cbef5-62c4-40f1-af07-4b7f9ced6616 |
OpenAPI | Info | Structure and Semantics | Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. | Documentation |
| Parameter Objects Headers With Duplicated Name (v3) 05505192-ba2c-4a81-9b25-dcdbcc973746 |
OpenAPI | Info | Structure and Semantics | Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. | Documentation |
| Path Is Ambiguous (v2) b2468463-3ac4-4930-890c-f35b2bf4485d |
OpenAPI | Info | Structure and Semantics | All path should be unique, if has more than one operation, all operations should be part of same Path Object | Documentation |
| Path Is Ambiguous (v3) 237402e2-c2f0-46c9-9cf5-286160cf7bfc |
OpenAPI | Info | Structure and Semantics | All path should be unique, if has more than one operation, all operations should be part of same Path Object | Documentation |
| Schema Enum Invalid (v2) 8fe6d18a-ad4c-4397-8884-e3a9da57f4c9 |
OpenAPI | Info | Structure and Semantics | The field 'enum' of Schema Object should be consistent with the schema's type | Documentation |
| Schema Enum Invalid (v3) 03856cb2-e46c-4daf-bfbf-214ec93c882b |
OpenAPI | Info | Structure and Semantics | The field 'enum' of Schema Object should be consistent with the schema's type | Documentation |
| Schema Object Properties With Duplicated Keys (v2) ded017bf-fb13-4f8d-868b-84aebcc572ad |
OpenAPI | Info | Structure and Semantics | Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' | Documentation |
| Schema Object Properties With Duplicated Keys (v3) 10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa |
OpenAPI | Info | Structure and Semantics | Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' | Documentation |
| Template Path With No Corresponding Path Parameter (v2) e7656d8d-7288-4bbe-b07b-22b389be75ce |
OpenAPI | Info | Structure and Semantics | The template path must have a corresponding path parameter for a given operation | Documentation |
| Template Path With No Corresponding Path Parameter (v3) 561710b1-b845-4562-95ce-2397a05ccef4 |
OpenAPI | Info | Structure and Semantics | The template path must have a corresponding path parameter for a given operation | Documentation |
| Path Parameter With No Corresponding Template Path (v2) 194ef1f8-360e-4c14-8ed2-e83e2bafa142 |
OpenAPI | Info | Structure and Semantics | The path parameter must have a corresponding template path for a given operation | Documentation |
| Path Parameter With No Corresponding Template Path (v3) 69d7aefd-149d-47b8-8d89-1c2181a8067b |
OpenAPI | Info | Structure and Semantics | The path parameter must have a corresponding template path for a given operation | Documentation |
| Schema Has A Required Property Undefined (v2) 811762c8-2e99-4f70-88f9-a63875a953b1 |
OpenAPI | Info | Structure and Semantics | Schema Object should not be have a required property that is not defined on properties | Documentation |
| Schema Has A Required Property Undefined (v3) 2bd608ae-8a1f-457f-b710-c237883cb313 |
OpenAPI | Info | Structure and Semantics | Schema Object should not be have a required property that is not defined on properties | Documentation |
| Responses With Wrong HTTP Status Code (v2) 069a5378-2091-43f0-aa3b-ee8f20996e99 |
OpenAPI | Info | Structure and Semantics | HTTP Responses status code should be in range of [200-599] | Documentation |
| Responses With Wrong HTTP Status Code (v3) d86655c0-92f6-4ffc-b4d5-5b5775804c27 |
OpenAPI | Info | Structure and Semantics | HTTP Responses status code should be in range of [200-599] | Documentation |
| Non-Array Schema With Items (v2) 9d47956b-29cd-43b1-9e6e-b39a4d484353 |
OpenAPI | Info | Structure and Semantics | Non-Array Schema should not have 'items' defined | Documentation |
| Non-Array Schema With Items (v3) 20cb3159-b219-496b-8dac-54ae3ab2021a |
OpenAPI | Info | Structure and Semantics | Non-Array Schema should not have 'items' defined | Documentation |
| Paths Object is Empty (v2) 3e6c7b1c-8a8d-43ab-98b9-65159f44db4a |
OpenAPI | Info | Structure and Semantics | Paths object may be empty due to ACL constraints, meaning they are not exposed | Documentation |
| Paths Object is Empty (v3) 815021c8-a50c-46d9-b192-24f71072c400 |
OpenAPI | Info | Structure and Semantics | Paths object may be empty due to ACL constraints, meaning they are not exposed | Documentation |
| Schema Discriminator Mismatch Defined Properties (v2) addc0eab-27f6-4c26-8526-d2ccd3732662 |
OpenAPI | Info | Structure and Semantics | Schema discriminator values should match defined properties. | Documentation |
| Schema Discriminator Mismatch Defined Properties (v3) 40d3df21-c170-4dbe-9c02-4289b51f994f |
OpenAPI | Info | Structure and Semantics | Schema discriminator values should match defined properties. | Documentation |
| Property 'allowEmptyValue' Improperly Defined (v2) 0bc1477d-0922-478b-ae16-674a7634a1a8 |
OpenAPI | Info | Structure and Semantics | Property 'allowEmptyValue' should be only defined for query parameters and formData parameters | Documentation |
| Property 'allowEmptyValue' Improperly Defined (v3) 4bcbcd52-3028-469f-bc14-02c7dbba2df2 |
OpenAPI | Info | Structure and Semantics | Property 'allowEmptyValue' should be only defined for query parameters and formData parameters | Documentation |
| Items Undefined (v2) 3e4d34d2-36cf-4449-976d-6c256db8fc49 |
OpenAPI | Info | Structure and Semantics | Schema/Parameter items should be defined when the schema/parameter is set to an array. | Documentation |
| Items Undefined (v3) a8e859da-4a43-4e7f-94b8-25d6e3bf8e90 |
OpenAPI | Info | Structure and Semantics | Schema/Parameter items should be defined when the schema/parameter is set to an array. | Documentation |
| Properties Missing Required Property (v2) 71beb6ab-8b70-4816-a9ac-a0ff1fb22a62 |
OpenAPI | Info | Structure and Semantics | Schema Object should have all required properties defined | Documentation |
| Properties Missing Required Property (v3) 3fb03214-25d4-4bd4-867c-c2d8d708a483 |
OpenAPI | Info | Structure and Semantics | Schema Object should have all required properties defined | Documentation |
| Property Defining Minimum Greater Than Maximum (v2) b5102ea9-6527-4bb7-94fc-9b4076150e55 |
OpenAPI | Info | Structure and Semantics | Property defining minimum has greater value than maximum defined | Documentation |
| Property Defining Minimum Greater Than Maximum (v3) ab2af219-cd08-4233-b5a1-a788aac88b51 |
OpenAPI | Info | Structure and Semantics | Property defining minimum has greater value than maximum defined | Documentation |
| Default Invalid (v2) 78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07 |
OpenAPI | Info | Structure and Semantics | The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type | Documentation |
| Default Invalid (v3) a96bbc06-8cde-4295-ad3c-ee343a7f658e |
OpenAPI | Info | Structure and Semantics | The field 'default' of Schema Object should be consistent with the schema's type | Documentation |
| Schema Discriminator Property Not String (v2) 949376f1-f560-4c6d-a016-63424ca931bb |
OpenAPI | Info | Structure and Semantics | Schema discriminator property should be a string | Documentation |
| Schema Discriminator Property Not String (v3) dadc2f36-1f5a-46c0-8289-75e626583123 |
OpenAPI | Info | Structure and Semantics | Schema discriminator property should be a string | Documentation |
| Responses Object Is Empty (v2) 6172e7ab-d2b7-45f8-a7db-1603931d8ba3 |
OpenAPI | Info | Structure and Semantics | Responses Object should not be empty | Documentation |
| Responses Object Is Empty (v3) 990eaf09-d6f1-4c3c-b174-a517b1de8917 |
OpenAPI | Info | Structure and Semantics | Responses Object should not be empty | Documentation |
| Schema Discriminator Not Required (v2) be6a3722-af60-438c-b1b9-2a03e2958ab7 |
OpenAPI | Info | Structure and Semantics | The discriminator property in the Schema Object should be a required property | Documentation |
| Schema Discriminator Not Required (v3) b481d46c-9c61-480f-86d9-af07146dc4a4 |
OpenAPI | Info | Structure and Semantics | The discriminator property in the Schema Object should be a required property | Documentation |
| Path Parameter Not Required (v2) ccd0613f-cb77-4684-a892-183bd2674d12 |
OpenAPI | Info | Structure and Semantics | The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. | Documentation |
| Path Parameter Not Required (v3) 0de50145-e845-47f4-9a15-23bcf2125710 |
OpenAPI | Info | Structure and Semantics | The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. | Documentation |
| Type Has Invalid Keyword (v2) 492c6cbb-f3f8-4807-aa4f-42b8b1c46b59 |
OpenAPI | Info | Structure and Semantics | Schema/Parameter/Header Object define type should not use a keyword of another type | Documentation |
| Type Has Invalid Keyword (v3) a9228976-10cf-4b5f-b902-9e962aad037a |
OpenAPI | Info | Structure and Semantics | Schema Object define type should not use a keyword of another type | Documentation |
| Parameters Name In Combination Not Unique (v2) ab871897-ec02-4835-9818-702536ee1dda |
OpenAPI | Info | Structure and Semantics | Parameters properties 'name' and 'in' should have unique combinations | Documentation |
| Parameters Name In Combination Not Unique (v3) f5b2e6af-76f5-496d-8482-8f898c5fdb4a |
OpenAPI | Info | Structure and Semantics | Parameters properties 'name' and 'in' should have unique combinations | Documentation |
| Schema Object With Circular Ref (v2) cbff2508-85c9-4448-a8b3-770070edf5ca |
OpenAPI | Info | Structure and Semantics | Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties | Documentation |
| Schema Object With Circular Ref (v3) 1a1aea94-745b-40a7-b860-0702ea6ee636 |
OpenAPI | Info | Structure and Semantics | Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties | Documentation |
| OperationId Not Unique (v2) 21245007-91c4-40e5-964e-40c85d1e5aa6 |
OpenAPI | Info | Structure and Semantics | OperationId should be unique when defined | Documentation |
| OperationId Not Unique (v3) c254adc4-ef25-46e1-8270-b7944adb4198 |
OpenAPI | Info | Structure and Semantics | OperationId should be unique when defined | Documentation |
| Path Template is Empty (v2) c201b7ad-6173-4598-a407-5edb04a1bcd7 |
OpenAPI | Info | Structure and Semantics | All path templates should not be empty | Documentation |
| Path Template is Empty (v3) ae13a37d-943b-47a7-a970-83c8598bcca3 |
OpenAPI | Info | Structure and Semantics | All path templates should not be empty | Documentation |
| Cleartext Credentials With Basic Authentication For Operation 86b1fa30-9790-4980-994d-a27e0f6f27c1 |
OpenAPI | High | Access Control | Cleartext credentials over unencrypted channel should not be accepted for the operation | Documentation |
| Field 'securityScheme' On Components Is Undefined 8db5544e-4874-4baa-9322-e9f75a2d219e |
OpenAPI | High | Access Control | Components' securityScheme field must have a valid scheme | Documentation |
| Security Scheme HTTP Unknown Scheme 06764426-3c56-407e-981f-caa25db1c149 |
OpenAPI | Medium | Access Control | Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry | Documentation |
| Implicit Flow in OAuth2 (v3) 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a |
OpenAPI | Medium | Access Control | There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated | Documentation |
| Security Scheme Using HTTP Basic 68e5fcac-390c-4939-a373-6074b7be7c71 |
OpenAPI | Medium | Access Control | Security Scheme HTTP should not be using basic authentication | Documentation |
| Invalid OAuth2 Authorization URL (v3) 52c0d841-60d6-4a81-88dd-c35fef36d315 |
OpenAPI | Medium | Access Control | The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL | Documentation |
| Security Scheme Using HTTP Negotiate f525cc92-9050-4c41-a75c-890dc6f64449 |
OpenAPI | Medium | Access Control | Security Scheme HTTP should not be using negotiate authentication | Documentation |
| OAuth2 With Implicit Flow 39cb32f2-3a42-4af0-8037-82a7a9654b6c |
OpenAPI | Medium | Access Control | OAuth2 implicit flow is vulnerable to access token leakage and access token replay | Documentation |
| Security Scheme Using HTTP Digest a4247b11-890b-45df-bf42-350a7a3af9be |
OpenAPI | Medium | Access Control | Security Scheme HTTP should not be using digest authentication | Documentation |
| Invalid OAuth2 Token URL (v3) 3ba0cca1-b815-47bf-ac62-1e584eb64a05 |
OpenAPI | Medium | Access Control | OAuth2 security scheme flow requires a valid URL in the tokenUrl field | Documentation |
| OAuth2 With Password Flow 3979b0a4-532c-4ea7-86e4-34c090eaa4f2 |
OpenAPI | Medium | Access Control | OAuth2 password flow insecurely exposes the credentials of the resource owner to the client | Documentation |
| Global Server Object Uses HTTP 2d8c175a-6d90-412b-8b0e-e034ea49a1fe |
OpenAPI | Medium | Encryption | Global server object URL should use 'https' protocol instead of 'http' | Documentation |
| Path Server Object Uses HTTP (v3) 9670f240-7b4d-4955-bd93-edaa9fa38b58 |
OpenAPI | Medium | Encryption | The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection | Documentation |
| Parameter Object Without Schema 8fe1846f-52cc-4413-ace9-1933d7d23672 |
OpenAPI | Medium | Insecure Configurations | The Parameter Object should have the attribute 'schema' defined | Documentation |
| Additional Properties Too Restrictive a19c3bbd-c056-40d7-9e1c-eeb0634e320d |
OpenAPI | Medium | Insecure Configurations | Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf | Documentation |
| Additional Properties Too Permissive 9f88c88d-824d-4d9a-b985-e22977046042 |
OpenAPI | Medium | Insecure Configurations | Objects should not accept 'additionalProperties' if it is possible | Documentation |
| Media Type Object Without Schema f79b9d26-e945-44e7-98a1-b93f0f7a68a0 |
OpenAPI | Medium | Insecure Configurations | The Media Type Object should have the attribute 'schema' defined | Documentation |
| Header Object Without Schema 50de3b5b-6465-4e06-a9b0-b4c2ba34326b |
OpenAPI | Medium | Networking and Firewall | The header object should have schema defined | Documentation |
| Success Response Code Undefined for Trace Operation 105e20dd-8449-4d71-95c6-d5dac96639af |
OpenAPI | Medium | Networking and Firewall | Trace should define the '200' successful code | Documentation |
| API Key Exposed In Global Security Scheme 40e1d1bf-11a9-4f63-a3a2-a8b84c602839 |
OpenAPI | Low | Access Control | API Keys should not be transported over network | Documentation |
| Undefined Scope 'securityScheme' On 'security' Field On Operations 462d6a1d-fed9-4d75-bb9e-3de902f35e6e |
OpenAPI | Low | Access Control | Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker | Documentation |
| Undefined Scope 'securityScheme' On Global 'security' Field 23a9e2d9-8738-4556-a71c-2802b6ffa022 |
OpenAPI | Low | Access Control | Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker | Documentation |
| Security Scheme Using Oauth 1.0 1bc3205c-0d60-44e6-84f3-44fbf4dac5b3 |
OpenAPI | Low | Access Control | Oauth 1.0 is deprecated, OAuth2 should be used instead | Documentation |
| Global Security Scheme Using Basic Authentication 77276d82-4f45-4cf1-8e2b-4d345b936228 |
OpenAPI | Low | Access Control | A security scheme is allowing basic authentication credentials to be transported over network | Documentation |
| Components Parameter Definition Is Unused 698a464e-bb3e-4ba8-ab5e-e6599b7644a0 |
OpenAPI | Info | Best Practices | Components parameters definitions should be referenced or removed from Open API definition | Documentation |
| Components Request Body Definition Is Unused 6b76f589-9713-44ab-97f5-59a3dba1a285 |
OpenAPI | Info | Best Practices | Components request bodies definitions should be referenced or removed from Open API definition | Documentation |
| Components Callback Definition Is Unused d15db953-a553-4b8a-9a14-a3d62ea3d79d |
OpenAPI | Info | Best Practices | Components callbacks definitions should be referenced or removed from Open API definition | Documentation |
| Property 'style' of Encoding Object Ignored d3ea644a-9a5c-4fee-941f-f8a6786c0470 |
OpenAPI | Info | Best Practices | Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. | Documentation |
| Components Header Definition Is Unused a68da022-e95a-4bc2-97d3-481e0bd6d446 |
OpenAPI | Info | Best Practices | Components headers definitions should be referenced or removed from Open API definition | Documentation |
| Unknown Prefix (v3) a5375be3-521c-43bb-9eab-e2432e368ee4 |
OpenAPI | Info | Best Practices | The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' | Documentation |
| Invalid Media Type Value (v3) cf4a5f45-a27b-49df-843a-9911dbfe71d4 |
OpenAPI | Info | Best Practices | The Media Type value should match the following format: |
Documentation |
| Encoding Header 'Content-Type' Improperly Defined 4cd8de87-b595-48b6-ab3c-1904567135ab |
OpenAPI | Info | Best Practices | Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. | Documentation |
| Components Link Definition Is Unused c19779a9-5774-4d2f-a3a1-a99831730375 |
OpenAPI | Info | Best Practices | Components links definitions should be referenced or removed from Open API definition | Documentation |
| Components Response Definition Is Unused 9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae |
OpenAPI | Info | Best Practices | Components responses definitions should be referenced or removed from Open API definition | Documentation |
| Components Example Definition Is Unused b05bb927-2df5-43cc-8d7b-6825c0e71625 |
OpenAPI | Info | Best Practices | Components examples definitions should be referenced or removed from Open API definition | Documentation |
| Property 'explode' of Encoding Object Ignored a4dd69b8-49fa-45d2-a060-c76655405b05 |
OpenAPI | Info | Best Practices | Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. | Documentation |
| Property 'allowReserved' of Encoding Object Ignored 4190dda7-af03-4cf0-a128-70ac1661ca09 |
OpenAPI | Info | Best Practices | Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. | Documentation |
| Property 'allowEmptyValue' Ignored 59c2f769-7cc2-49c8-a3de-4e211135cfab |
OpenAPI | Info | Best Practices | Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} | Documentation |
| Components Schema Definition Is Unused 962fa01e-b791-4dcc-b04a-4a3e7389be5e |
OpenAPI | Info | Best Practices | Components schemas definitions should be referenced or removed from Open API definition | Documentation |
| Schema JSON Reference Does Not Exists (v3) 015eac96-6313-43c0-84e5-81b1374fa637 |
OpenAPI | Info | Structure and Semantics | Schema reference should exists on components field | Documentation |
| Server Object Variable Not Used 8aee4754-970d-4c5f-8142-a49dfe388b1a |
OpenAPI | Info | Structure and Semantics | Every defined Server Variable Object should be used in a Service URL. | Documentation |
| Security Operation Field Undefined 20a482d5-c5d9-4a7a-b7a4-60d0805047b4 |
OpenAPI | Info | Structure and Semantics | Security operation field should be defined in '#/components/securitySchemes' | Documentation |
| Empty Array 5915c20f-dffa-4cee-b5d4-f457ddc0151a |
OpenAPI | Info | Structure and Semantics | All array fields should not be empty | Documentation |
| Encoding Map Key Mismatch Schema Defined Properties cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b |
OpenAPI | Info | Structure and Semantics | Encoding Map Key should be set in schema defined properties | Documentation |
| Invalid Content Type For Multiple Files Upload 26f06397-36d8-4ce7-b993-17711261d777 |
OpenAPI | Info | Structure and Semantics | Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) | Documentation |
| Servers Array Undefined c66ebeaa-676c-40dc-a3ff-3e49395dcd5e |
OpenAPI | Info | Structure and Semantics | The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. | Documentation |
| Object Without Required Property (v3) d172a060-8569-4412-8045-3560ebd477e8 |
OpenAPI | Info | Structure and Semantics | OpenAPI Object should contain all of its required fields | Documentation |
| Callback JSON Reference Does Not Exists f29904c8-6041-4bca-b043-dfa0546b8079 |
OpenAPI | Info | Structure and Semantics | Callback reference should exists on components field | Documentation |
| Header JSON Reference Does Not Exists 376c9390-7e9e-4cb8-a067-fd31c05451fd |
OpenAPI | Info | Structure and Semantics | Header reference should exists on components field | Documentation |
| Example JSON Reference Does Not Exists 6a2c219f-da5e-4745-941e-5ea8cde23356 |
OpenAPI | Info | Structure and Semantics | Example reference should exists on components field | Documentation |
| Schema With Both ReadOnly And WriteOnly d2361d58-361c-49f0-9e50-b957fd608b29 |
OpenAPI | Info | Structure and Semantics | Schema should not have both 'writeOnly' and 'readOnly' set to true | Documentation |
| Property 'allowReserved' Improperly Defined 7f203940-39c4-4ea7-91ee-7aba16bca9e2 |
OpenAPI | Info | Structure and Semantics | Property 'allowReserved' should be only defined for query parameters | Documentation |
| Parameter Object With Incorrect Ref (v3) d40f27e6-15fb-4b56-90f8-fc0ff0291c51 |
OpenAPI | Info | Structure and Semantics | Parameter Object reference must always point to '#/components/parameters' | Documentation |
| Server URL Not Absolute a0bf7382-5d5a-4224-924c-3db8466026c9 |
OpenAPI | Info | Structure and Semantics | The Server URL should be an absolute URL | Documentation |
| Callback Object With Incorrect Ref ba066cda-e808-450d-92b6-f29109754d45 |
OpenAPI | Info | Structure and Semantics | Callback Object reference must always point to '#/components/callbacks' | Documentation |
| Request Body JSON Reference Does Not Exists ca02f4e8-d3ae-4832-b7db-bb037516d9e7 |
OpenAPI | Info | Structure and Semantics | Request Body reference should exists on components field | Documentation |
| Link JSON Reference Does Not Exists 801f0c6a-a834-4467-89c6-ddecffb46b5a |
OpenAPI | Info | Structure and Semantics | Link reference should exists on components field | Documentation |
| Link Object With Both 'operationId' And 'operationRef' 60fb6621-9f02-473b-9424-ba9a825747d3 |
OpenAPI | Info | Structure and Semantics | Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. | Documentation |
| Link Object OperationId Does Not Target Operation Object c5bb7461-aa57-470b-a714-3bc3d74f4669 |
OpenAPI | Info | Structure and Semantics | Link object 'OperationId' should target an existing operation object in the OpenAPI definition | Documentation |
| Components Object Fixed Field Key Improperly Named 151331e2-11f4-4bb6-bd35-9a005e695087 |
OpenAPI | Info | Structure and Semantics | Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: ^[a-zA-Z0-9\.\-_]+$ |
Documentation |
| Server URL Uses Undefined Variables 8d0921d6-4131-461f-a253-99e873f8f77e |
OpenAPI | Info | Structure and Semantics | Any variable used in the Service URL should be defined in the Service Object through 'variables'. | Documentation |
| Parameter Object With Schema And Content 31dd6fc0-f274-493b-9614-e063086c19fc |
OpenAPI | Info | Structure and Semantics | A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive | Documentation |
| Schema Object Incorrect Ref (v3) 4cac7ace-b0fb-477d-830d-65395d9109d9 |
OpenAPI | Info | Structure and Semantics | Schema Object reference must always point to '#/components/schemas' | Documentation |
| Security Requirement Object With Wrong Scopes 37140f7f-724a-4c87-a536-e9cee1d61533 |
OpenAPI | Info | Structure and Semantics | Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' | Documentation |
| Parameter Object With Undefined Type 46facedc-f243-4108-ab33-583b807d50b0 |
OpenAPI | Info | Structure and Semantics | A Parameter Object must contain either a 'schema' property, or a 'content' property | Documentation |
| Parameter Object Content With Multiple Entries 8bfed1c6-2d59-4924-bc7f-9b9d793ed0df |
OpenAPI | Info | Structure and Semantics | The map content property of the parameter object should only contain one entry | Documentation |
| Response JSON Reference Does Not Exists (v3) 7a01dfbd-da62-4165-aed7-71349ad42ab4 |
OpenAPI | Info | Structure and Semantics | Response reference should exists on components field | Documentation |
| Security Field Undefined ab1263c2-81df-46f0-9f2c-0b62fdb68419 |
OpenAPI | Info | Structure and Semantics | Security field should be defined in '#/components/securitySchemes' | Documentation |
| Response Object With Incorrect Ref (v3) b3871dd8-9333-4d6c-bd52-67eb898b71ab |
OpenAPI | Info | Structure and Semantics | Response Object reference must always point to '#/components/responses' | Documentation |
| Example JSON Reference Outside Components Examples bac56e3c-1f71-4a74-8ae6-2fba07efcddb |
OpenAPI | Info | Structure and Semantics | Reference to examples should point to #/components/examples | Documentation |
| Unknown Property (v3) fb7d81e7-4150-48c4-b914-92fc05da6a2f |
OpenAPI | Info | Structure and Semantics | All properties defined in OpenAPI objects should be known | Documentation |
| Header Object With Incorrect Ref 2d6646f4-2946-420f-8c14-3232d49ae0cb |
OpenAPI | Info | Structure and Semantics | Header Object reference must always point to '#/components/headers' | Documentation |
| Parameter JSON Reference Does Not Exists (v3) 2e275f16-b627-4d3f-ae73-a6153a23ae8f |
OpenAPI | Info | Structure and Semantics | Parameter reference should exists on components field | Documentation |
| Link Object Incorrect Ref b9db8a10-020c-49ca-88c6-780e5fdb4328 |
OpenAPI | Info | Structure and Semantics | Link object reference must always point to '#/components/links' | Documentation |
| Request Body Object With Incorrect Media Type 58f06434-a88c-4f74-826c-db7e10cc7def |
OpenAPI | Info | Structure and Semantics | The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. | Documentation |
| Request Body With Incorrect Ref 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d |
OpenAPI | Info | Structure and Semantics | Request Body reference must always point to '#/components/RequestBodies' | Documentation |
| Role Assignment Not Limit Guest User Permissions 8e75e431-449f-49e9-b56a-c8f1378025cf |
Terraform | High | Access Control | Role Assignment should limit guest user permissions | Documentation |
| Admin User Enabled For Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51 |
Terraform | High | Access Control | Admin user is enabled for Container Registry | Documentation |
| Role Assignment Of Guest Users 2bc626a8-0751-446f-975d-8139214fc790 |
Terraform | High | Access Control | There is a role assignment for guest user | Documentation |
| Function App Authentication Disabled e65a0733-94a0-4826-82f4-df529f4c593f |
Terraform | High | Access Control | Azure Function App authentication settings should be enabled | Documentation |
| Public Storage Account 17f75827-0684-48f4-8747-61129c7e4198 |
Terraform | High | Access Control | Storage Account should not be public to grant the principle of least privileges | Documentation |
| Storage Container Is Publicly Accessible dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299 |
Terraform | High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage | Documentation |
| Geo Redundancy Is Disabled 8b042c30-e441-453f-b162-7696982ebc58 |
Terraform | High | Backup | Make sure that on PostgreSQL Geo Redundant Backups is enabled | Documentation |
| Storage Account Not Forcing HTTPS 12944ec4-1fa0-47be-8b17-42a034f937c2 |
Terraform | High | Encryption | Storage Accounts should enforce the use of HTTPS | Documentation |
| App Service Not Using Latest TLS Encryption Version b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643 |
Terraform | High | Encryption | Ensure App Service is using the latest version of TLS encryption | Documentation |
| Function App Not Using Latest TLS Encryption Version 45fc717a-bd86-415c-bdd8-677901be1aa6 |
Terraform | High | Encryption | Ensure Function App is using the latest version of TLS encryption | Documentation |
| MySQL SSL Connection Disabled 73e42469-3a86-4f39-ad78-098f325b4e9f |
Terraform | High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled | Documentation |
| SSL Enforce Disabled 0437633b-daa6-4bbc-8526-c0d2443b946e |
Terraform | High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' | Documentation |
| Azure Container Registry With No Locks a187ac47-8163-42ce-8a63-c115236be6fb |
Terraform | High | Insecure Configurations | Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' | Documentation |
| App Service FTPS Enforce Disabled 85da374f-b00f-4832-9d44-84a1ca1e89f8 |
Terraform | High | Insecure Configurations | Azure App Service should only enforce FTPS when 'ftps_state' is enabled | Documentation |
| Network Watcher Flow Disabled b90842e5-6779-44d4-9760-972f4c03ba1c |
Terraform | High | Insecure Configurations | Check if enable field in the resource azurerm_network_watcher_flow_log is false. | Documentation |
| Azure App Service Client Certificate Disabled a81573f9-3691-4d83-88a0-7d4af63e17a3 |
Terraform | High | Insecure Configurations | Azure App Service client certificate should be enabled | Documentation |
| Web App Accepting Traffic Other Than HTTPS 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe |
Terraform | High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. | Documentation |
| Redis Not Updated Regularly b947809d-dd2f-4de9-b724-04d101c515aa |
Terraform | High | Insecure Configurations | Redis Cache is not configured to be updated regularly with security and operational updates | Documentation |
| AKS Private Cluster Disabled 599318f2-6653-4569-9e21-041d06c63a89 |
Terraform | High | Insecure Configurations | Azure Kubernetes Service (AKS) API should not be exposed to the internet | Documentation |
| Function App FTPS Enforce Disabled 9dab0179-433d-4dff-af8f-0091025691df |
Terraform | High | Insecure Configurations | Azure Function App should only enforce FTPS when 'ftps_state' is enabled | Documentation |
| VM Not Attached To Network bbf6b3df-4b65-4f87-82cc-da9f30f8c033 |
Terraform | High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine | Documentation |
| AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b |
Terraform | High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server | Documentation |
| CosmosDB Account IP Range Filter Not Set c2a3efb6-8a58-481c-82f2-bfddf34bb4b7 |
Terraform | High | Networking and Firewall | The IP range filter should be defined to secure the data stored | Documentation |
| Trusted Microsoft Services Not Enabled 5400f379-a347-4bdd-a032-446465fdcc6f |
Terraform | High | Networking and Firewall | Trusted Microsoft Services should be enabled for Storage Account access | Documentation |
| Sensitive Port Is Exposed To Entire Network 594c198b-4d79-41b8-9b36-fde13348b619 |
Terraform | High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| SQLServer Ingress From Any IP 25c0ea09-f1c5-4380-b055-3b83863f2bb8 |
Terraform | High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. | Documentation |
| Redis Publicly Accessible 5089d055-53ff-421b-9482-a5267bdce629 |
Terraform | High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources | Documentation |
| MSSQL Server Public Network Access Enabled ade36cf4-329f-4830-a83d-9db72c800507 |
Terraform | High | Networking and Firewall | MSSQL Server public network access should be disabled | Documentation |
| MySQL Server Public Access Enabled f118890b-2468-42b1-9ce9-af35146b425b |
Terraform | High | Networking and Firewall | MySQL Server public access should be disabled | Documentation |
| Redis Entirely Accessible fd8da341-6760-4450-b26c-9f6d8850575e |
Terraform | High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet | Documentation |
| SSH Is Exposed To The Internet 3e3c175e-aadf-4e2b-a464-3fdac5748d24 |
Terraform | High | Networking and Firewall | Port 22 (SSH) is exposed to the internet | Documentation |
| RDP Is Exposed To The Internet efbf6449-5ec5-4cfe-8f15-acc51e0d787c |
Terraform | High | Networking and Firewall | Port 3389 (Remote Desktop) is exposed to the internet | Documentation |
| Vault Auditing Disabled 38c71c00-c177-4cd7-8d36-cd1007cdb190 |
Terraform | High | Observability | Ensure that logging for Azure KeyVault is 'Enabled' | Documentation |
| SQL Database Audit Disabled 83a229ba-483e-47c6-8db7-dc96969bce5a |
Terraform | High | Resource Management | Ensure that 'Threat Detection' is enabled for Azure SQL Database | Documentation |
| App Service Managed Identity Disabled b61cce4b-0cc4-472b-8096-15617a6d769b |
Terraform | High | Resource Management | Azure App Service should have managed identity enabled | Documentation |
| PostgreSQL Server Threat Detection Policy Disabled c407c3cf-c409-4b29-b590-db5f4138d332 |
Terraform | High | Resource Management | PostgreSQL Server Threat Detection Policy should be enabled | Documentation |
| Key Expiration Not Set 4d080822-5ee2-49a4-8984-68f3d4c890fc |
Terraform | High | Secret Management | Make sure that for all keys the expiration date is set | Documentation |
| Secret Expiration Not Set dfa20ffa-f476-428f-a490-424b41e91c7f |
Terraform | High | Secret Management | Make sure that for all secrets the expiration date is set | Documentation |
| Storage Share File Allows All ACL Permissions 48bbe0fd-57e4-4678-a4a1-119e79c90fc3 |
Terraform | Medium | Access Control | Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). | Documentation |
| AKS RBAC Disabled 86f92117-eed8-4614-9c6c-b26da20ff37f |
Terraform | Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled | Documentation |
| Role Definition Allows Custom Role Creation 3fa5900f-9aac-4982-96b2-a6143d9c99fb |
Terraform | Medium | Access Control | Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) | Documentation |
| Storage Table Allows All ACL Permissions 3ac3e75c-6374-4a32-8ba0-6ed69bda404e |
Terraform | Medium | Access Control | Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). | Documentation |
| Virtual Network with DDoS Protection Plan disabled b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a |
Terraform | Medium | Availability | Virtual Network should have DDoS Protection Plan enabled | Documentation |
| SQL Server Predictable Admin Account Name 2ab6de9a-0136-415c-be92-79d2e4fd750f |
Terraform | Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict | Documentation |
| SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450 |
Terraform | Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict | Documentation |
| Security Contact Email 34664094-59e0-4524-b69f-deaa1a68cce3 |
Terraform | Medium | Best Practices | Security Contact Email should be defined | Documentation |
| Cosmos DB Account Without Tags 56dad03e-e94f-4dd6-93a4-c253a03ff7a0 |
Terraform | Medium | Build Process | Cosmos DB Account must have a mapping of tags. | Documentation |
| AKS Disk Encryption Set ID Undefined b17d8bb8-4c08-4785-867e-cb9e62a622aa |
Terraform | Medium | Encryption | Azure Container Service (AKS) should use Disk Encryption Set ID | Documentation |
| Encryption On Managed Disk Disabled a99130ab-4c0e-43aa-97f8-78d4fcb30024 |
Terraform | Medium | Encryption | Ensure that the encryption is active on the disk | Documentation |
| Storage Account Not Using Latest TLS Encryption Version 8263f146-5e03-43e0-9cfe-db960d56d1e7 |
Terraform | Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption | Documentation |
| Security Group is Not Configured 5c822443-e1ea-46b8-84eb-758ec602e844 |
Terraform | Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty | Documentation |
| Security Center Pricing Tier Is Not Standard 819d50fd-1cdf-45c3-9936-be408aaad93e |
Terraform | Medium | Insecure Configurations | Make sure that the 'Standard' pricing tiers were selected. | Documentation |
| Function App Client Certificates Unrequired 9bb3c639-5edf-458c-8ee5-30c17c7d671d |
Terraform | Medium | Insecure Configurations | Azure Function App should have 'client_cert_mode' set to required | Documentation |
| Function App Managed Identity Disabled c87749b3-ff10-41f5-9df2-c421e8151759 |
Terraform | Medium | Insecure Configurations | Azure Function App should have managed identity enabled | Documentation |
| Small Flow Logs Retention Period 7750fcca-dd03-4d38-b663-4b70289bcfd4 |
Terraform | Medium | Insecure Configurations | Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches | Documentation |
| AKS Network Policy Misconfigured f5342045-b935-402d-adf1-8dbbd09c0eef |
Terraform | Medium | Insecure Configurations | Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined | Documentation |
| Redis Cache Allows Non SSL Connections e29a75e6-aba3-4896-b42d-b87818c16b58 |
Terraform | Medium | Insecure Configurations | Redis Cache resources should not allow non-SSL connections | Documentation |
| Default Network Access is Allowed 9be09caf-2ba4-4fa9-9787-a670dc32c639 |
Terraform | Medium | Insecure Defaults | Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' | Documentation |
| Default Azure Storage Account Network Access Is Too Permissive a5613650-32ec-4975-a305-31af783153ea |
Terraform | Medium | Insecure Defaults | Default Azure Storage Account network access should be set to Deny | Documentation |
| Network Interfaces IP Forwarding Enabled 4216ebac-d74c-4423-b437-35025cb88af5 |
Terraform | Medium | Networking and Firewall | Network Interfaces IP Forwarding should be disabled | Documentation |
| Azure Cognitive Search Public Network Access Enabled 4a9e0f00-0765-4f72-a0d4-d31110b78279 |
Terraform | Medium | Networking and Firewall | Public Network Access should be disabled for Azure Cognitive Search | Documentation |
| Network Interfaces With Public IP c1573577-e494-4417-8854-7e119368dc8b |
Terraform | Medium | Networking and Firewall | Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) | Documentation |
| Unrestricted SQL Server Access d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28 |
Terraform | Medium | Networking and Firewall | Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. | Documentation |
| Sensitive Port Is Exposed To Wide Private Network c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e |
Terraform | Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol | Documentation |
| WAF Is Disabled For Azure Application Gateway 2e48d91c-50e4-45c8-9312-27b625868a72 |
Terraform | Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. | Documentation |
| MariaDB Server Public Network Access Enabled 7f0a8696-7159-4337-ad0d-8a3ab4a78195 |
Terraform | Medium | Networking and Firewall | MariaDB Server Public Network Access should be disabled | Documentation |
| Sensitive Port Is Exposed To Small Public Network e9dee01f-2505-4df2-b9bf-7804d1fd9082 |
Terraform | Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol | Documentation |
| Firewall Rule Allows Too Many Hosts To Access Redis Cache a829b715-cf75-4e92-b645-54c9b739edfb |
Terraform | Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache | Documentation |
| Small MSSQL Server Audit Retention 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc |
Terraform | Medium | Observability | Make sure for SQL Servers that Auditing Retention is greater than 90 days | Documentation |
| PostgreSQL Log Connections Not Set c640d783-10c5-4071-b6c1-23507300d333 |
Terraform | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' | Documentation |
| Email Alerts Disabled 9db38e87-f6aa-4b5e-a1ec-7266df259409 |
Terraform | Medium | Observability | Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact | Documentation |
| PostgreSQL Log Duration Not Set 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f |
Terraform | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' | Documentation |
| MSSQL Server Auditing Disabled 609839ae-bd81-4375-9910-5bce72ae7b92 |
Terraform | Medium | Observability | Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' | Documentation |
| Small PostgreSQL DB Server Log Retention Period 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606 |
Terraform | Medium | Observability | Check if PostgreSQL Database Server retains logs for less than 3 Days | Documentation |
| Small MSSQL Audit Retention Period 9c301481-e6ec-44f7-8a49-8ec63e2969ea |
Terraform | Medium | Observability | Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days | Documentation |
| SQL Server Auditing Disabled f7e296b0-6660-4bc5-8f87-22ac4a815edf |
Terraform | Medium | Observability | Make sure that for SQL Servers, 'Auditing' is set to 'On' | Documentation |
| Log Retention Is Not Set ffb02aca-0d12-475e-b77c-a726f7aeff4b |
Terraform | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' | Documentation |
| PostgreSQL Log Checkpoints Disabled 3790d386-be81-4dcf-9850-eaa7df6c10d9 |
Terraform | Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' | Documentation |
| PostgreSQL Log Disconnections Not Set 07f7134f-9f37-476e-8664-670c218e4702 |
Terraform | Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' | Documentation |
| PostgreSQL Server Without Connection Throttling 2b3c671f-1b76-4741-8789-ed1fe0785dc4 |
Terraform | Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server | Documentation |
| Small Activity Log Retention Period 2b856bf9-8e8c-4005-875f-303a8cba3918 |
Terraform | Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater | Documentation |
| Azure Active Directory Authentication a21c8da9-41bf-40cf-941d-330cf0d11fc7 |
Terraform | Low | Access Control | Azure Active Directory must be used for authentication for Service Fabric | Documentation |
| MariaDB Server Geo-redundant Backup Disabled 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1 |
Terraform | Low | Backup | MariaDB Server Geo-redundant Backup should be enabled | Documentation |
| App Service Without Latest PHP Version 96fe318e-d631-4156-99fa-9080d57280ae |
Terraform | Low | Best Practices | Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. | Documentation |
| Key Vault Secrets Content Type Undefined f8e08a38-fc6e-4915-abbe-a7aadf1d59ef |
Terraform | Low | Best Practices | Key Vault Secrets should have set Content Type | Documentation |
| AKS Uses Azure Policies Add-On Disabled 43789711-161b-4708-b5bb-9d1c626f7492 |
Terraform | Low | Best Practices | Azure Container Service (AKS) should use Azure Policies Add-On | Documentation |
| App Service Without Latest Python Version cc4aaa9d-1070-461a-b519-04e00f42db8a |
Terraform | Low | Best Practices | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. | Documentation |
| PostgreSQL Server Infrastructure Encryption Disabled 6425c98b-ca4e-41fe-896a-c78772c131f8 |
Terraform | Low | Encryption | PostgreSQL Server Infrastructure Encryption should be enabled | Documentation |
| Function App HTTP2 Disabled ace823d1-4432-4dee-945b-cdf11a5a6bd0 |
Terraform | Low | Insecure Configurations | Function App should have 'http2_enabled' enabled | Documentation |
| Dashboard Is Enabled 61c3cb8b-0715-47e4-b788-86dde40dd2db |
Terraform | Low | Insecure Configurations | Check if the Kubernetes Dashboard is enabled. | Documentation |
| App Service HTTP2 Disabled 525b53be-62ed-4244-b4df-41aecfcb4071 |
Terraform | Low | Insecure Configurations | App Service should have 'http2_enabled' enabled | Documentation |
| Azure Front Door WAF Disabled 835a4f2f-df43-437d-9943-545ccfc55961 |
Terraform | Low | Networking and Firewall | Azure Front Door WAF should be enabled | Documentation |
| App Service Authentication Disabled c7fc1481-2899-4490-bbd8-544a3a61a2f3 |
Terraform | Info | Access Control | Azure App Service authentication settings should be enabled | Documentation |
| SQL Server Alert Email Disabled 55975007-f6e7-4134-83c3-298f1fe4b519 |
Terraform | Info | Best Practices | SQL Server alert email should be enabled | Documentation |
| Not Limited Capabilities For Pod Security Policy 2acb555f-f4ad-4b1b-b984-84e6588f4b05 |
Terraform | High | Insecure Configurations | Limit capabilities for a Pod Security Policy | Documentation |
| Cluster Allows Unsafe Sysctls a9174d31-d526-4ad9-ace4-ce7ddbf52e03 |
Terraform | High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. | Documentation |
| Tiller (Helm v2) Is Deployed ca2fba76-c1a7-4afd-be67-5249f861cb0e |
Terraform | High | Insecure Configurations | Check if Tiller is deployed. | Documentation |
| NET_RAW Capabilities Not Being Dropped e5587d53-a673-4a6b-b3f2-ba07ec274def |
Terraform | High | Insecure Configurations | Containers should drop 'ALL' or at least 'NET_RAW' capabilities | Documentation |
| Privilege Escalation Allowed c878abb4-cca5-4724-92b9-289be68bd47c |
Terraform | High | Insecure Configurations | Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process | Documentation |
| PSP Allows Containers To Share The Host Network Namespace 4950837c-0ce5-4e42-9bee-a25eae73740b |
Terraform | High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. | Documentation |
| Container Is Privileged 87065ef8-de9b-40d8-9753-f4a4303e27a4 |
Terraform | High | Insecure Configurations | Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false | Documentation |
| Role Binding To Default Service Account 3360c01e-c8c0-4812-96a2-a6329b9b7f9f |
Terraform | High | Insecure Defaults | No role nor cluster role should bind to a default service account | Documentation |
| Non Kube System Pod With Host Mount 86a947ea-f577-4efb-a8b0-5fc00257d521 |
Terraform | Medium | Access Control | A non kube-system workload should not have hostPath mounted | Documentation |
| RBAC Roles with Read Secrets Permissions 826abb30-3cd5-4e0b-a93b-67729b4f7e63 |
Terraform | Medium | Access Control | Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys | Documentation |
| Permissive Access to Create Pods 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba |
Terraform | Medium | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. | Documentation |
| Readiness Probe Is Not Configured 8657197e-3f87-4694-892b-8144701d83c1 |
Terraform | Medium | Availability | Check if Readiness Probe is not configured. | Documentation |
| Root Containers Admitted 4c415497-7410-4559-90e8-f2c8ac64ee38 |
Terraform | Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 26b047a9-0329-48fd-8fb7-05bbe5ba80ee |
Terraform | Medium | Build Process | Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' | Documentation |
| Using Default Namespace abcb818b-5af7-4d72-aba9-6dd84956b451 |
Terraform | Medium | Insecure Configurations | The default namespace should not be used | Documentation |
| Workload Mounting With Sensitive OS Directory a737be28-37d8-4bff-aa6d-1be8aa0a0015 |
Terraform | Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory | Documentation |
| PSP With Added Capabilities 48388bd2-7201-4dcc-b56d-e8a9efa58fad |
Terraform | Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities | Documentation |
| Ingress Controller Exposes Workload e2c83c1f-84d7-4467-966c-ed41fd015bb9 |
Terraform | Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks | Documentation |
| Seccomp Profile Is Not Configured 455f2e0c-686d-4fcb-8b5f-3f953f12c43c |
Terraform | Medium | Insecure Configurations | Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls | Documentation |
| NET_RAW Capabilities Disabled for PSP 9aa32890-ac1a-45ee-81ca-5164e2098556 |
Terraform | Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities | Documentation |
| PSP Set To Privileged a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9 |
Terraform | Medium | Insecure Configurations | Do not allow pod to request execution as privileged. | Documentation |
| Container Host Pid Is True 587d5d82-70cf-449b-9817-f60f9bccb88c |
Terraform | Medium | Insecure Configurations | Minimize the admission of containers wishing to share the host process ID namespace | Documentation |
| PSP Allows Sharing Host IPC 51bed0ac-a8ae-407a-895e-90c6cb0610ce |
Terraform | Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace | Documentation |
| Container Resources Limits Undefined 60af03ff-a421-45c8-b214-6741035476fa |
Terraform | Medium | Insecure Configurations | Kubernetes container should have resource limitations defined such as CPU and memory | Documentation |
| Containers With Added Capabilities fe771ff7-ba15-4f8f-ad7a-8aa232b49a28 |
Terraform | Medium | Insecure Configurations | Containers should not have extra capabilities allowed | Documentation |
| Containers With Sys Admin Capabilities 3f55386d-75cd-4e9a-ac47-167b26c04724 |
Terraform | Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability | Documentation |
| Container Runs Unmasked 0ad60203-c050-4115-83b6-b94bde92541d |
Terraform | Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. | Documentation |
| Default Service Account In Use 737a0dd9-0aaa-4145-8118-f01778262b8a |
Terraform | Medium | Insecure Configurations | Default service accounts should not be actively used | Documentation |
| PSP Allows Privilege Escalation 2bff9906-4e9b-4f71-9346-8ebedfdf43ef |
Terraform | Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation | Documentation |
| Service Account Token Automount Not Disabled a9a13d4f-f17a-491b-b074-f54bffffcb4a |
Terraform | Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary | Documentation |
| Service Account Name Undefined Or Empty 24b132df-5cc7-4823-8029-f898e1c50b72 |
Terraform | Medium | Insecure Defaults | A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. | Documentation |
| Network Policy Is Not Targeting Any Pod b80b14c6-aaa2-4876-b651-8a48b6c32fbf |
Terraform | Medium | Networking and Firewall | Check if any network policy is not targeting any pod. | Documentation |
| Service With External Load Balance 2a52567c-abb8-4651-a038-52fa27c77aed |
Terraform | Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet | Documentation |
| Memory Limits Not Defined fd097ed0-7fe6-4f58-8b71-fef9f0820a21 |
Terraform | Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory | Documentation |
| Shared Host IPC Namespace e94d3121-c2d1-4e34-a295-139bfeb73ea3 |
Terraform | Medium | Resource Management | Container should not share the host IPC namespace | Documentation |
| CPU Requests Not Set 577ac19c-6a77-46d7-9f14-e049cdd15ec2 |
Terraform | Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node | Documentation |
| Memory Requests Not Defined 21719347-d02b-497d-bda4-04a03c8e5b61 |
Terraform | Medium | Resource Management | Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes | Documentation |
| CPU Limits Not Set 5f4735ce-b9ba-4d95-a089-a37a767b716f |
Terraform | Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |
| Shared Host Network Namespace ac1564a3-c324-4747-9fa1-9dfc234dace0 |
Terraform | Medium | Resource Management | Container should not share the host network namespace | Documentation |
| Volume Mount With OS Directory Write Permissions a62a99d1-8196-432f-8f80-3c100b05d62a |
Terraform | Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. | Documentation |
| Shared Service Account f74b9c43-161a-4799-bc95-0b0ec81801b9 |
Terraform | Medium | Secret Management | A Service Account token is shared between workloads | Documentation |
| Service Account Allows Access Secrets 07fc3413-e572-42f7-9877-5c8fc6fccfb5 |
Terraform | Medium | Secret Management | Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs | Documentation |
| Missing App Armor Config bd6bd46c-57db-4887-956d-d372f21291b6 |
Terraform | Low | Access Control | Containers should be configured with AppArmor for any application to reduce its potential attack | Documentation |
| Docker Daemon Socket is Exposed to Containers 4e203a65-c8d8-49a2-b749-b124d43c9dc1 |
Terraform | Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 17172bc2-56fb-4f17-916f-a014147706cd |
Terraform | Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) | Documentation |
| Deployment Without PodDisruptionBudget a05331ee-1653-45cb-91e6-13637a76e4f0 |
Terraform | Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| Liveness Probe Is Not Defined 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3 |
Terraform | Low | Availability | In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it | Documentation |
| HPA Targets Invalid Object 17e52ca3-ddd0-4610-9d56-ce107442e110 |
Terraform | Low | Availability | The Horizontal Pod Autoscale must target a valid object | Documentation |
| StatefulSet Without PodDisruptionBudget 7249e3b0-9231-4af3-bc5f-5daf4988ecbf |
Terraform | Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| StatefulSet Without Service Name 420e6360-47bb-46f6-9072-b20ed22c842d |
Terraform | Low | Availability | StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. | Documentation |
| Metadata Label Is Invalid bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e |
Terraform | Low | Best Practices | Check if any label in the metadata is invalid. | Documentation |
| No Drop Capabilities for Containers 21cef75f-289f-470e-8038-c7cee0664164 |
Terraform | Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context | Documentation |
| Root Container Not Mounted As Read-only d532566b-8d9d-4f3b-80bd-361fe802f9c2 |
Terraform | Low | Build Process | Check if the root container filesystem is not being mounted as read-only. | Documentation |
| StatefulSet Requests Storage fcc2612a-1dfe-46e4-8ce6-0320959f0040 |
Terraform | Low | Build Process | A StatefulSet requests volume storage. | Documentation |
| Pod or Container Without Security Context ad69e38a-d92e-4357-a8da-f2f29d545883 |
Terraform | Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always aa737abf-6b1d-4aba-95aa-5c160bd7f96e |
Terraform | Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always | Documentation |
| Image Without Digest 228c4c19-feeb-4c18-848c-800ac70fdfb7 |
Terraform | Low | Insecure Configurations | Images should be specified together with their digests to ensure integrity | Documentation |
| Service Type is NodePort 5c281bf8-d9bb-47f2-b909-3f6bb11874ad |
Terraform | Low | Networking and Firewall | Service type should not be NodePort | Documentation |
| Workload Host Port Not Specified 4e74cf4f-ff65-4c1a-885c-67ab608206ce |
Terraform | Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified | Documentation |
| Deployment Has No PodAntiAffinity 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3 |
Terraform | Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| CronJob Deadline Not Configured 58876b44-a690-4e9f-9214-7735fa0dd15d |
Terraform | Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined | Documentation |
| Secrets As Environment Variables 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8 |
Terraform | Low | Secret Management | Container should not use secrets as environment variables | Documentation |
| Invalid Image e76cca7c-c3f9-4fc9-884c-b2831168ebd8 |
Terraform | Low | Supply-Chain | Image must be defined and not be empty or equal to latest. | Documentation |
| OSS Bucket Allows Delete Action From All Principals 8c0695d8-2378-4cd6-8243-7fd5894fa574 |
Terraform | High | Access Control | OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. | Documentation |
| Ram Policy Admin Access Not Attached to Users Groups Roles e8e62026-da63-4904-b402-65adfe3ca975 |
Terraform | High | Access Control | Ram policies with admin access should not be associated to users, groups or roles | Documentation |
| OSS Bucket Allows Put Action From All Principals fe286195-e75c-4359-bd58-00847c4f855a |
Terraform | High | Access Control | OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. | Documentation |
| OSS Bucket Public Access Enabled 62232513-b16f-4010-83d7-51d0e1d45426 |
Terraform | High | Access Control | OSS Bucket should have public access disabled | Documentation |
| OSS Bucket Allows All Actions From All Principals ec62a32c-a297-41ca-a850-cab40b42094a |
Terraform | High | Access Control | OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. | Documentation |
| OSS Bucket Allows List Action From All Principals 88541597-6f88-42c8-bac6-7e0b855e8ff6 |
Terraform | High | Access Control | OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. | Documentation |
| RAM Security Preference Not Enforce MFA Login dcda2d32-e482-43ee-a926-75eaabeaa4e0 |
Terraform | High | Access Control | RAM Security preferences should enforce MFA login for RAM users | Documentation |
| RDS Instance TDE Status Disabled 44d434ca-a9bf-4203-8828-4c81a8d5a598 |
Terraform | High | Encryption | tde_status parameter should be Enabled for supported RDS instances | Documentation |
| NAS File System Not Encrypted 67bfdff1-31ce-4525-b564-e94368735360 |
Terraform | High | Encryption | NAS File System must be encrypted | Documentation |
| Launch Template Is Not Encrypted 1455cb21-1d48-46d6-8ae3-cef911b71fd5 |
Terraform | High | Encryption | ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. | Documentation |
| NAS File System Without KMS 5f670f9d-b1b4-4c90-8618-2288f1ab9676 |
Terraform | High | Encryption | NAS File System should have encryption provided by user KMS | Documentation |
| Ecs Data Disk Kms Key Id Undefined f262118c-1ac6-4bb3-8495-cc48f1775b85 |
Terraform | High | Encryption | Ecs Data Disk Kms Key Id should be set | Documentation |
| DB Instance Publicly Accessible faaefc15-51a5-419e-bb5e-51a4b5ab3485 |
Terraform | High | Insecure Configurations | The field 'address' should not be set to '0.0.0.0/0' | Documentation |
| OSS Bucket Has Static Website 2b13c6ff-b87a-484d-86fd-21ef6e97d426 |
Terraform | High | Insecure Configurations | Checks if any static websties are hosted on buckets. Be aware of any website you are running. | Documentation |
| RDS DB Instance Publicly Accessible 1b4565c0-4877-49ac-ab03-adebbccd42ae |
Terraform | High | Insecure Configurations | '0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list | Documentation |
| OSS Bucket Ip Restriction Disabled 6107c530-7178-464a-88bc-df9cdd364ac8 |
Terraform | High | Networking and Firewall | OSS Bucket should have ip restricted access | Documentation |
| Public Security Group Rule All Ports or Protocols 60587dbd-6b67-432e-90f7-a8cf1892d968 |
Terraform | High | Networking and Firewall | Alicloud Security Group Rule should not allow all ports or all protocols to the public | Documentation |
| OSS Buckets Secure Transport Disabled c01d10de-c468-4790-b3a0-fc887a56f289 |
Terraform | High | Networking and Firewall | OSS Buckets should have secure transport enabled | Documentation |
| API Gateway API Protocol Not HTTPS 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843 |
Terraform | High | Networking and Firewall | API Gateway API protocol should be set to HTTPS | Documentation |
| Public Security Group Rule Sensitive Port 2ae9d554-23fb-4065-bfd1-fe43d5f7c419 |
Terraform | High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol | Documentation |
| ALB Listening on HTTP ee3b1557-9fb5-4685-a95d-93f1edf2a0d7 |
Terraform | High | Networking and Firewall | Application Load Balancer (alb) Listener should not listen on HTTP | Documentation |
| RDS Instance Events Not Logged b9c524a4-fe76-4021-a6a2-cb978fb4fde1 |
Terraform | High | Observability | All RDS Instance events trackers should be 'true' | Documentation |
| ActionTrail Trail OSS Bucket is Publicly Accessible 69b5d7da-a5db-4db9-a42e-90b65d0efb0b |
Terraform | High | Observability | ActionTrail Trail OSS Bucket should not be publicly accessible | Documentation |
| Ram Account Password Policy Not Required Minimum Length a9dfec39-a740-4105-bbd6-721ba163c053 |
Terraform | High | Secret Management | Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above | Documentation |
| Ram Account Password Policy Max Login Attempts Unrecommended e76fd7ab-7333-40c6-a2d8-ea28af4a319e |
Terraform | High | Secret Management | Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts | Documentation |
| Ram Policy Attached to User 66505003-7aba-45a1-8d83-5162d5706ef5 |
Terraform | Medium | Access Control | Ram policies should not be attached to users | Documentation |
| CMK Is Unusable ed6e3ba0-278f-47b6-a1f5-173576b40b7e |
Terraform | Medium | Availability | Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true | Documentation |
| OSS Bucket Versioning Disabled 70919c0b-2548-4e6b-8d7a-3d84ab6dabba |
Terraform | Medium | Backup | OSS Bucket should have versioning enabled | Documentation |
| ROS Stack Retention Disabled 4bb06fa1-2114-4a00-b7b5-6aeab8b896f0 |
Terraform | Medium | Backup | The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group | Documentation |
| ROS Stack Without Template 92d65c51-5d82-4507-a2a1-d252e9706855 |
Terraform | Medium | Build Process | Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body | Documentation |
| Disk Encryption Disabled 39750e32-3fe9-453b-8c33-dd277acdb2cc |
Terraform | Medium | Encryption | Disks should have encryption enabled | Documentation |
| OSS Bucket Encryption Using CMK Disabled f20e97f9-4919-43f1-9be9-f203cd339cdd |
Terraform | Medium | Encryption | OSS Bucket should have encryption enabled using Customer Master Key | Documentation |
| SLB Policy With Insecure TLS Version In Use dbfc834a-56e5-4750-b5da-73fda8e73f70 |
Terraform | Medium | Encryption | SLB Policy should not support insecure versions of TLS protocol | Documentation |
| CS Kubernetes Node Pool Auto Repair Disabled 81ce9394-013d-4731-8fcc-9d229b474073 |
Terraform | Medium | Insecure Configurations | Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. | Documentation |
| Public Security Group Rule Unknown Port dd706080-b7a8-47dc-81fb-3e8184430ec0 |
Terraform | Medium | Networking and Firewall | A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned | Documentation |
| Kubernetes Cluster Without Terway as CNI Network Plugin b9b7ada8-3868-4a35-854e-6100a2bb863d |
Terraform | Medium | Networking and Firewall | Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies | Documentation |
| ROS Stack Notifications Disabled 9ef08939-ea40-489c-8851-667870b2ef50 |
Terraform | Medium | Observability | The ROS Stack Notifications should be defined and populated to receive stack related events | Documentation |
| RDS Instance Retention Period Not Recommended dc158941-28ce-481d-a7fa-dc80761edf46 |
Terraform | Medium | Observability | RDS Instance SQL Retention Period should be greater than 180 | Documentation |
| OSS Bucket Logging Disabled 05db341e-de7d-4972-a106-3e2bd5ee53e1 |
Terraform | Medium | Observability | OSS Bucket should have logging enabled, for better visibility of resources and objects. | Documentation |
| Action Trail Logging For All Regions Disabled c065b98e-1515-4991-9dca-b602bd6a2fbb |
Terraform | Medium | Observability | Action Trail Logging for all regions should be enabled | Documentation |
| Log Retention Is Not Greater Than 90 Days ed6cf6ff-9a1f-491c-9f88-e03c0807f390 |
Terraform | Medium | Observability | OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. | Documentation |
| No ROS Stack Policy 72ceb736-0aee-43ea-a191-3a69ab135681 |
Terraform | Medium | Resource Management | ROS Stack should have a stack policy in order to protect stack resources from and during update actions | Documentation |
| RAM Account Password Policy without Reuse Prevention a8128dd2-89b0-464b-98e9-5d629041dfe0 |
Terraform | Medium | Secret Management | RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less | Documentation |
| High KMS Key Rotation Period cb319d87-b90f-485e-a7e7-f2408380f309 |
Terraform | Medium | Secret Management | KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year | Documentation |
| Ram Account Password Policy Not Required Numbers 063234c0-91c0-4ab5-bbd0-47ddb5f23786 |
Terraform | Medium | Secret Management | Ram Account Password Policy should have 'require_numbers' set to true | Documentation |
| RAM Account Password Policy Not Require at Least one Uppercase Character 5e0fb613-ba9b-44c3-88f0-b44188466bfd |
Terraform | Medium | Secret Management | Ram Account Password Policy should have 'require_uppercase_characters' set to true | Documentation |
| Ram Account Password Policy Not Require At Least one Lowercase Character 89143358-cec6-49f5-9392-920c591c669c |
Terraform | Medium | Secret Management | Ram Account Password Policy should have 'require_lowercase_characters' set to true | Documentation |
| Ram Account Password Policy Max Password Age Unrecommended 2bb13841-7575-439e-8e0a-cccd9ede2fa8 |
Terraform | Medium | Secret Management | Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 | Documentation |
| RAM Account Password Policy Not Required Symbols 41a38329-d81b-4be4-aef4-55b2615d3282 |
Terraform | Medium | Secret Management | RAM account password security should require at least one symbol | Documentation |
| OSS Bucket Transfer Acceleration Disabled 8f98334a-99aa-4d85-b72a-1399ca010413 |
Terraform | Low | Availability | OSS Bucket should have transfer acceleration enabled | Documentation |
| OSS Bucket Lifecycle Rule Disabled 7db8bd7e-9772-478c-9ec5-4bc202c5686f |
Terraform | Low | Backup | OSS Bucket should have lifecycle rule enabled and set to true | Documentation |
| RDS Instance Log Connections Disabled 140869ea-25f2-40d4-a595-0c0da135114e |
Terraform | Low | Observability | 'log_connections' parameter should be set to ON for RDS instances | Documentation |
| RDS Instance Log Disconnections Disabled d53f4123-f8d8-4224-8cb3-f920b151cc98 |
Terraform | Low | Observability | log_disconnections parameter should be set to ON for RDS instances | Documentation |
| RDS Instance Log Duration Disabled a597e05a-c065-44e7-9cc8-742f572a504a |
Terraform | Low | Observability | log_duration parameter should be set to ON for RDS instances | Documentation |
| VPC Flow Logs Disabled d2731f3d-a992-44ed-812e-f4f1c2747d71 |
Terraform | Low | Observability | Every VPC resource should have an associated Flow Log | Documentation |
| BOM - AWS EFS f53f16d6-46a9-4277-9fbe-617b1e24cdca |
Terraform | Trace | Bill Of Materials | A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. | Documentation |
| BOM - AWS SNS eccc4d59-74b9-4974-86f1-74386e0c7f33 |
Terraform | Trace | Bill Of Materials | A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. | Documentation |
| BOM - AWS EBS 86571149-eef3-4280-a645-01e60df854b0 |
Terraform | Trace | Bill Of Materials | A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). | Documentation |
| BOM - AWS SQS baecd2da-492a-4d59-b9dc-29540a1398e0 |
Terraform | Trace | Bill Of Materials | A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. | Documentation |
| BOM - AWS MQ fcb1b388-f558-4b7f-9b6e-f4e98abb7380 |
Terraform | Trace | Bill Of Materials | A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. | Documentation |
| BOM - AWS S3 Buckets 2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045 |
Terraform | Trace | Bill Of Materials | A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. | Documentation |
| BOM - AWS Elasticache 54229498-850b-4f78-b3a7-218d24ef2c37 |
Terraform | Trace | Bill Of Materials | A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. | Documentation |
| BOM - AWS MSK 051f2063-2517-4295-ad8e-ba88c1bf5cfc |
Terraform | Trace | Bill Of Materials | A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. | Documentation |
| S3 Bucket Allows List Action From All Principals 66c6f96f-2d9e-417e-a998-9058aeeecd44 |
Terraform | High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. | Documentation |
| SNS Topic is Publicly Accessible b26d2b7e-60f6-413d-a3a1-a57db24aa2b3 |
Terraform | High | Access Control | SNS Topic Policy should not allow any principal to access | Documentation |
| S3 Bucket ACL Allows Read Or Write to All Users 38c5ee0d-7f22-4260-ab72-5073048df100 |
Terraform | High | Access Control | S3 Buckets should not be readable and writable to all users | Documentation |
| S3 Bucket With All Permissions a4966c4f-9141-48b8-a564-ffe9959945bc |
Terraform | High | Access Control | S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. | Documentation |
| EFS With Vulnerable Policy fae52418-bb8b-4ac2-b287-0b9082d6a3fd |
Terraform | High | Access Control | EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. | Documentation |
| Neptune Cluster Instance is Publicly Accessible 9ba198e0-fef4-464a-8a4d-75ea55300de7 |
Terraform | High | Access Control | Neptune Cluster Instance should not be publicly accessible | Documentation |
| IAM Role With Full Privileges b1ffa705-19a3-4b73-b9d0-0c97d0663842 |
Terraform | High | Access Control | IAM role policy that allow full administrative privileges (for all resources) | Documentation |
| IAM Policy Grants Full Permissions 575a2155-6af1-4026-b1af-d5bc8fe2a904 |
Terraform | High | Access Control | IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. | Documentation |
| S3 Bucket Allows Put Action From All Principals d24c0755-c028-44b1-b503-8e719c898832 |
Terraform | High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. | Documentation |
| S3 Bucket Allows Public Policy 1a4bc881-9f69-4d44-8c9a-d37d08f54c50 |
Terraform | High | Access Control | S3 bucket allows public policy | Documentation |
| S3 Bucket ACL Grants WRITE_ACP Permission 64a222aa-7793-4e40-915f-4b302c76e4d4 |
Terraform | High | Access Control | S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. | Documentation |
| ECS Service Admin Role Is Present 3206240f-2e87-4e58-8d24-3e19e7c83d7c |
Terraform | High | Access Control | ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role | Documentation |
| S3 Bucket Allows Delete Action From All Principals ffdf4b37-7703-4dfe-a682-9d2e99bc6c09 |
Terraform | High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. | Documentation |
| Authentication Without MFA 3ddfa124-6407-4845-a501-179f90c65097 |
Terraform | High | Access Control | Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 57b9893d-33b1-4419-bcea-a717ea87e139 |
Terraform | High | Access Control | S3 Buckets should not be readable to any authenticated user | Documentation |
| IAM Policies With Full Privileges 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84 |
Terraform | High | Access Control | IAM policies shouldn't allow full administrative privileges (for all resources) | Documentation |
| S3 Bucket Allows Get Action From All Principals 1df37f4b-7197-45ce-83f8-9994d2fcf885 |
Terraform | High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. | Documentation |
| S3 Bucket Access to Any Principal 7af43613-6bb9-4a0e-8c4d-1314b799425e |
Terraform | High | Access Control | S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals | Documentation |
| MSK Broker Is Publicly Accessible 54378d69-dd7c-4b08-a43e-80d563396857 |
Terraform | High | Access Control | Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible | Documentation |
| SQS Queue Exposed abb06e5f-ef9a-4a99-98c6-376d396bfcdf |
Terraform | High | Access Control | Checks if the SQS Queue is exposed | Documentation |
| User Data Shell Script Is Encoded 9cf718ce-46f9-430e-89ec-c456f8b469ee |
Terraform | High | Encryption | User Data Shell Script must be encoded | Documentation |
| EBS Volume Snapshot Not Encrypted e6b4b943-6883-47a9-9739-7ada9568f8ca |
Terraform | High | Encryption | The value on AWS EBS Volume Snapshot Encryptation must be true | Documentation |
| RDS Database Cluster not Encrypted 656880aa-1388-488f-a6d4-8f73c23149b2 |
Terraform | High | Encryption | RDS Database Cluster Encryption should be enabled | Documentation |
| EBS Default Encryption Disabled 3d3f6270-546b-443c-adb4-bb6fb2187ca6 |
Terraform | High | Encryption | EBS Encryption should be enabled | Documentation |
| ECS Task Definition Container With Plaintext Password d40210ea-64b9-4cce-a4fb-e8604f3c062c |
Terraform | High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
| IAM Database Auth Not Enabled 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6 |
Terraform | High | Encryption | IAM Database Auth Enabled should be configured to true when using compatible engine and version | Documentation |
| User Data Contains Encoded Private Key 443488f5-c734-460b-a36d-5b3f330174dc |
Terraform | High | Encryption | User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily | Documentation |
| Sagemaker Notebook Instance Without KMS f3674e0c-f6be-43fa-b71c-bf346d1aed99 |
Terraform | High | Encryption | AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS | Documentation |
| MSK Cluster Encryption Disabled 6db52fa6-d4da-4608-908a-89f0c59e743e |
Terraform | High | Encryption | Ensure MSK Cluster encryption in rest and transit is enabled | Documentation |
| Redis Not Compliant 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4 |
Terraform | High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements | Documentation |
| DAX Cluster Not Encrypted f11aec39-858f-4b6f-b946-0a1bf46c0c87 |
Terraform | High | Encryption | AWS DAX Cluster should have server-side encryption at rest | Documentation |
| Secure Ciphers Disabled 5c0003fb-9aa0-42c1-9da3-eb0e332bef21 |
Terraform | High | Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
| Viewer Protocol Policy Allows HTTP 55af1353-2f62-4fa0-a8e1-a210ca2708f5 |
Terraform | High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
| RDS Storage Not Encrypted 3199c26c-7871-4cb3-99c2-10a59244ce7f |
Terraform | High | Encryption | RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' | Documentation |
| ELB Using Insecure Protocols 126c1788-23c2-4a10-906c-ef179f4f96ec |
Terraform | High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. | Documentation |
| Athena Workgroup Not Encrypted d364984a-a222-4b5f-a8b0-e23ab19ebff3 |
Terraform | High | Encryption | Athena Workgroup query results should be encrypted, for all queries that run in the workgroup | Documentation |
| CA Certificate Identifier Is Outdated 9f40c07e-699e-4410-8856-3ba0f2e3a2dd |
Terraform | High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. | Documentation |
| DOCDB Cluster Without KMS 4766d3ea-241c-4ee6-93ff-c380c996bd1a |
Terraform | High | Encryption | AWS DOCDB Cluster should be encrypted with a KMS encryption key | Documentation |
| Redshift Not Encrypted cfdcabb0-fc06-427c-865b-c59f13e898ce |
Terraform | High | Encryption | AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) | Documentation |
| Sagemaker Endpoint Configuration Encryption Disabled 58b35504-0287-4154-bf69-02c0573deab8 |
Terraform | High | Encryption | Sagemaker endpoint configuration should encrypt data | Documentation |
| S3 Bucket SSE Disabled 6726dcc0-5ff5-459d-b473-a780bef7665c |
Terraform | High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
| Kinesis SSE Not Configured 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3 |
Terraform | High | Encryption | AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled | Documentation |
| EKS Cluster Encryption Disabled 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281 |
Terraform | High | Encryption | EKS Cluster should be encrypted | Documentation |
| EFS Without KMS 25d251f3-f348-4f95-845c-1090e41a615c |
Terraform | High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys | Documentation |
| ELB Using Weak Ciphers 4a800e14-c94a-442d-9067-5a2e9f6c0a4c |
Terraform | High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. | Documentation |
| Athena Database Not Encrypted b2315cae-b110-4426-81e0-80bb8640cdd3 |
Terraform | High | Encryption | AWS Athena Database data in S3 should be encrypted | Documentation |
| S3 Bucket Object Not Encrypted 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e |
Terraform | High | Encryption | S3 Bucket Object should have server-side encryption enabled | Documentation |
| API Gateway Method Settings Cache Not Encrypted b7c9a40c-23e4-4a2d-8d39-a3352f10f288 |
Terraform | High | Encryption | API Gateway Method Settings Cache should be encrypted | Documentation |
| CloudWatch Log Group Not Encrypted 0afbcfe9-d341-4b92-a64c-7e6de0543879 |
Terraform | High | Encryption | AWS CloudWatch Log groups should be encrypted using KMS | Documentation |
| Glue Security Configuration Encryption Disabled ad5b4e97-2850-4adf-be17-1d293e0b85ee |
Terraform | High | Encryption | Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled | Documentation |
| DOCDB Cluster Not Encrypted bc1f9009-84a0-490f-ae09-3e0ea6d74ad6 |
Terraform | High | Encryption | AWS DOCDB Cluster storage should be encrypted | Documentation |
| AMI Not Encrypted 8bbb242f-6e38-4127-86d4-d8f0b2687ae2 |
Terraform | High | Encryption | AWS AMI Encryption is not enabled | Documentation |
| DB Instance Storage Not Encrypted 08bd0760-8752-44e1-9779-7bb369b2b4e4 |
Terraform | High | Encryption | AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. | Documentation |
| Kinesis Not Encrypted With KMS 862fe4bf-3eec-4767-a517-40f378886b88 |
Terraform | High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS | Documentation |
| Glue Data Catalog Encryption Disabled 01d50b14-e933-4c99-b314-6d08cd37ad35 |
Terraform | High | Encryption | Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled | Documentation |
| ECS Task Definition Volume Not Encrypted 4d46ff3b-7160-41d1-a310-71d6d370b08f |
Terraform | High | Encryption | AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted | Documentation |
| Workspaces Workspace Volume Not Encrypted b9033580-6886-401a-8631-5f19f5bb24c7 |
Terraform | High | Encryption | AWS Workspaces Workspace data stored in volumes should be encrypted | Documentation |
| Launch Configuration Is Not Encrypted 4de9de27-254e-424f-bd70-4c1e95790838 |
Terraform | High | Encryption | Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block | Documentation |
| EFS Not Encrypted 48207659-729f-4b5c-9402-f884257d794f |
Terraform | High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
| CodeBuild Project Encrypted With AWS Managed Key 3deec14b-03d2-4d27-9670-7d79322e3340 |
Terraform | High | Encryption | CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| DB Instance Publicly Accessible 35113e6f-2c6b-414d-beec-7a9482d3b2d1 |
Terraform | High | Insecure Configurations | RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). | Documentation |
| S3 Bucket Without Enabled MFA Delete c5b31ab9-0f26-4a49-b8aa-4cc064392f4d |
Terraform | High | Insecure Configurations | S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= |
Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 00e5e55e-c2ff-46b3-a757-a7a1cd802456 |
Terraform | High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
| No Password Policy Enabled b592ffd4-0577-44b6-bd35-8c5ee81b5918 |
Terraform | High | Insecure Configurations | IAM password policies should be set through the password minimum length and reset password attributes | Documentation |
| ECS Task Definition Network Mode Not Recommended 9f4a9409-9c60-4671-be96-9716dbf63db1 |
Terraform | High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
| DB Security Group Has Public Interface f0d8781f-99bf-4958-9917-d39283b168a0 |
Terraform | High | Insecure Configurations | The CIDR IP should not be a public interface | Documentation |
| KMS Key With Vulnerable Policy 7ebc9038-0bde-479a-acc4-6ed7b6758899 |
Terraform | High | Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
| S3 Static Website Host Enabled 42bb6b7f-6d54-4428-b707-666f669d94fb |
Terraform | High | Insecure Configurations | Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. | Documentation |
| S3 Bucket with Unsecured CORS Rule 98a8f708-121b-455b-ae2f-da3fb59d17e1 |
Terraform | High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure | Documentation |
| Redshift Publicly Accessible af173fde-95ea-4584-b904-bb3923ac4bda |
Terraform | High | Insecure Configurations | AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) | Documentation |
| Batch Job Definition With Privileged Container Properties 66cd88ac-9ddf-424a-b77e-e55e17630bee |
Terraform | High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties | Documentation |
| Lambda Function With Privileged Role 1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2 |
Terraform | High | Insecure Configurations | It is not advisable for AWS Lambda Functions to have privileged permissions. | Documentation |
| S3 Bucket Without Restriction Of Public Bucket 1ec253ab-c220-4d63-b2de-5b40e0af9293 |
Terraform | High | Insecure Configurations | S3 bucket without restriction of public bucket | Documentation |
| Root Account Has Active Access Keys 970d224d-b42a-416b-81f9-8f4dfe70c4bc |
Terraform | High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
| API Gateway Without Security Policy 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b |
Terraform | High | Insecure Configurations | API Gateway should have a Security Policy defined and use TLS 1.2. | Documentation |
| IAM User Policy Without MFA b5681959-6c09-4f55-b42b-c40fa12d03ec |
Terraform | High | Insecure Configurations | Check if the root user is authenticated with MFA | Documentation |
| Vulnerable Default SSL Certificate 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef |
Terraform | High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. | Documentation |
| EKS Cluster Has Public Access CIDRs 61cf9883-1752-4768-b18c-0d57f2737709 |
Terraform | High | Networking and Firewall | Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" | Documentation |
| Sensitive Port Is Exposed To Entire Network 381c3f2a-ef6f-4eff-99f7-b169cda3422c |
Terraform | High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| EKS node group remote access disabled ba40ace1-a047-483c-8a8d-bc2d3a67a82d |
Terraform | High | Networking and Firewall | EKS node group remote access is disabled when 'SourceSecurityGroups' is missing | Documentation |
| HTTP Port Open To Internet ffac8a12-322e-42c1-b9b9-81ff85c39ef7 |
Terraform | High | Networking and Firewall | The HTTP port is open to the internet in a Security Group | Documentation |
| Unrestricted Security Group Ingress 4728cd65-a20c-49da-8b31-9c08b423e4db |
Terraform | High | Networking and Firewall | Security groups allow ingress from 0.0.0.0:0 | Documentation |
| VPC Peering Route Table with Unrestricted CIDR b3a41501-f712-4c4f-81e5-db9a7dc0e34e |
Terraform | High | Networking and Firewall | VPC Peering Route Table should restrict CIDR | Documentation |
| EC2 Instance Has Public IP 5a2486aa-facf-477d-a5c1-b010789459ce |
Terraform | High | Networking and Firewall | EC2 Instance should not have a public IP address. | Documentation |
| DB Security Group With Public Scope 1e0ef61b-ad85-4518-a3d3-85eaad164885 |
Terraform | High | Networking and Firewall | The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it | Documentation |
| Default Security Groups With Unrestricted Traffic 46883ce1-dc3e-4b17-9195-c6a601624c73 |
Terraform | High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
| Route53 Record Undefined 25db74bf-fa3b-44da-934e-8c3e005c0453 |
Terraform | High | Networking and Firewall | Check if Record is set | Documentation |
| Network ACL With Unrestricted Access To SSH 3af7f2fd-06e6-4dab-b996-2912bea19ba4 |
Terraform | High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Network ACL | Documentation |
| Remote Desktop Port Open To Internet 151187cb-0efc-481c-babd-ad24e3c9bc22 |
Terraform | High | Networking and Firewall | The Remote Desktop port is open to the internet in a Security Group | Documentation |
| DB Security Group Open To Large Scope 4f615f3e-fb9c-4fad-8b70-2e9f781806ce |
Terraform | High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. | Documentation |
| VPC Default Security Group Accepts All Traffic 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75 |
Terraform | High | Networking and Firewall | Default Security Group attached to every VPC should restrict all traffic | Documentation |
| Network ACL With Unrestricted Access To RDP a20be318-cac7-457b-911d-04cc6e812c25 |
Terraform | High | Networking and Firewall | 'RDP' (TCP:3389) should not be public in AWS Network ACL | Documentation |
| Unknown Port Exposed To Internet 590d878b-abdc-428f-895a-e2b68a0e1998 |
Terraform | High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
| ALB Listening on HTTP de7f5e83-da88-4046-871f-ea18504b1d43 |
Terraform | High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
| RDS Associated with Public Subnet 2f737336-b18a-4602-8ea0-b200312e1ac1 |
Terraform | High | Networking and Firewall | RDS should not run in public subnet | Documentation |
| Security Group With Unrestricted Access To SSH 65905cec-d691-4320-b320-2000436cb696 |
Terraform | High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
| KMS Key With No Deletion Window 0b530315-0ea4-497f-b34c-4ff86268f59d |
Terraform | High | Observability | AWS KMS Key should have a valid deletion window | Documentation |
| Configuration Aggregator to All Regions Disabled ac5a0bc0-a54c-45aa-90c3-15f7703b9132 |
Terraform | High | Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
| CloudWatch IAM Policy Changes Alarm Missing eaaba502-2f94-411a-a3c2-83d63cc1776d |
Terraform | High | Observability | Ensure a log metric filter and alarm exist for IAM policy changes | Documentation |
| CloudTrail Log Files S3 Bucket with Logging Disabled ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4 |
Terraform | High | Observability | CloudTrail Log Files S3 Bucket should have 'logging' enabled | Documentation |
| CloudWatch Console Sign-in Without MFA Alarm Missing 44ceb4fa-0897-4fd2-b676-30e7a58f2933 |
Terraform | High | Observability | Ensure a log metric filter and alarm exist for management console sign-in without MFA | Documentation |
| CloudTrail Logging Disabled 4bb76f17-3d63-4529-bdca-2b454529d774 |
Terraform | High | Observability | Checks if logging is enabled for CloudTrail. | Documentation |
| CloudTrail Log Files S3 Bucket is Publicly Accessible bd0088a5-c133-4b20-b129-ec9968b16ef3 |
Terraform | High | Observability | CloudTrail Log Files S3 Bucket should not be publicly accessible | Documentation |
| CMK Rotation Disabled 22fbfeac-7b5a-421a-8a27-7a2178bb910b |
Terraform | High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. | Documentation |
| CloudWatch Unauthorized Access Alarm Missing 4c18a45b-4ab1-4790-9f83-399ac695f1e5 |
Terraform | High | Observability | Ensure a log metric filter and alarm exist for unauthorized API calls | Documentation |
| CloudWatch Root Account Use Missing 8b1b1e67-6248-4dca-bbad-93486bb181c0 |
Terraform | High | Observability | Ensure a log metric filter and alarm exist for root acount usage | Documentation |
| Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' 7782d4b3-e23e-432b-9742-d9528432e771 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:PutUserPolicy' 8f75840d-9ee7-42f3-b203-b40e3979eb12 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' 6deb34e2-5d9c-499a-801b-ea6d9eda894f |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' 94fbe150-27e3-4eba-9ca6-af32865e4503 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' 8055dec2-efb8-4fe6-8837-d9bed6ff202a |
Terraform | Medium | Access Control | User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' 8f3c16b3-354d-45db-8ad5-5066778a9485 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:AttachRolePolicy' e227091e-2228-4b40-b046-fc13650d8e88 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' 571254d8-aa6a-432e-9725-535d3ef04d69 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' f465fff1-0a0f-457d-aa4d-1bddb6f204ff |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' 0a592060-8166-49f5-8e65-99ac6dce9871 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:AttachUserPolicy' 70cb518c-d990-46f6-bc05-44a5041493d6 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:CreateAccessKey' 5b4d4aee-ac94-4810-9611-833636e5916d |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:PutRolePolicy' eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'iam:PutUserPolicy' 60263b4a-6801-4587-911d-919c37ed733b |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' f906113d-cdc0-415a-ba60-609cc6daaf4d |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ad296c0d-8131-4d6b-b030-1b0e73a99ad3 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| SNS Topic Publicity Has Allow and NotAction Simultaneously 5ea624e4-c8b1-4bb3-87a4-4235a776adcc |
Terraform | Medium | Access Control | SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. | Documentation |
| Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' 35ccf766-0e4d-41ed-9ec4-2dab155082b4 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'iam:AddUserToGroup' 970ed7a2-0aca-4425-acf1-0453c9ecbca1 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Secrets Manager With Vulnerable Policy fa00ce45-386d-4718-8392-fb485e1f3c5b |
Terraform | Medium | Access Control | Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' | Documentation |
| User With Privilege Escalation By Actions 'iam:PutGroupPolicy' 8bfbf7ab-d5e8-4100-8618-798956e101e0 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ee49557d-750c-4cc1-aa95-94ab36cbefde |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' 118281d0-6471-422e-a7c5-051bc667926e |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' 9a205ba3-0dd1-42eb-8d54-2ffec836b51a |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:PutGroupPolicy' d6047119-a0b2-4b59-a4f2-127a36fb685b |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| REST API With Vulnerable Policy b161c11b-a59b-4431-9a29-4e19f63e6b27 |
Terraform | Medium | Access Control | REST API policy should avoid wildcard in 'Action' and 'Principal' | Documentation |
| Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| IAM User With Access To Console 9ec311bf-dfd9-421f-8498-0b063c8bc552 |
Terraform | Medium | Access Control | AWS IAM Users should not have access to console | Documentation |
| Group With Privilege Escalation By Actions 'iam:PutGroupPolicy' e77c89f6-9c85-49ea-b95b-5f960fe5be92 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| ECR Repository Is Publicly Accessible e86e26fc-489e-44f0-9bcd-97305e4ba69a |
Terraform | Medium | Access Control | Amazon ECR image repositories shouldn't have public access | Documentation |
| CloudWatch Logs Destination With Vulnerable Policy db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8 |
Terraform | Medium | Access Control | CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' | Documentation |
| Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ec49cbfd-fae4-45f3-81b1-860526d66e3f |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Lambda With Vulnerable Policy ad9dabc7-7839-4bae-a957-aa9120013f39 |
Terraform | Medium | Access Control | The attribute 'action' should not have wildcard | Documentation |
| User With Privilege Escalation By Actions 'iam:AddUserToGroup' bf9d42c7-c2f9-4dfe-942c-c8cc8249a081 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' eda48c88-2b7d-4e34-b6ca-04c0194aee17 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| API Gateway Method Does Not Contains An API Key 671211c5-5d2a-4e97-8867-30fc28b02216 |
Terraform | Medium | Access Control | An API Key should be required on a method request. | Documentation |
| User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' 9b877bd8-94b4-4c10-a060-8e0436cc09fa |
Terraform | Medium | Access Control | User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Elasticsearch Without IAM Authentication e7530c3c-b7cf-4149-8db9-d037a0b5268e |
Terraform | Medium | Access Control | AWS Elasticsearch should ensure IAM Authentication | Documentation |
| User With Privilege Escalation By Actions 'iam:CreateAccessKey' 113208f2-a886-4526-9ecc-f3218600e12c |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:CreateLoginProfile' 0fd7d920-4711-46bd-aff2-d307d82cd8b7 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' db78d14b-10e5-4e6e-84b1-dace6327b1ec |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Elasticsearch Domain With Vulnerable Policy 16c4216a-50d3-4785-bfb2-4adb5144a8ba |
Terraform | Medium | Access Control | Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. | Documentation |
| SQS Policy Allows All Actions 816ea8cf-d589-442d-a917-2dd0ce0e45e3 |
Terraform | Medium | Access Control | SQS policy allows ALL (*) actions | Documentation |
| Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' f1173d8c-3264-4148-9fdb-61181e031b51 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' 19ffbe31-9d72-4379-9768-431195eae328 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Neptune Cluster With IAM Database Authentication Disabled c91d7ea0-d4d1-403b-8fe1-c9961ac082c5 |
Terraform | Medium | Access Control | Neptune Cluster should have IAM Database Authentication enabled | Documentation |
| Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' fa62ac4f-f5b9-45b9-97c1-625c8b6253ca |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:PutUserPolicy' 0c10d7da-85c4-4d62-b2a8-d6c104f1bd77 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' c583f0f9-7dfd-476b-a056-f47c62b47b46 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| API Gateway Without Configured Authorizer ed35928e-195c-4405-a252-98ccb664ab7C |
Terraform | Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer | Documentation |
| Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' be2aa235-bd93-4b68-978a-1cc65d49082f |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Glue With Vulnerable Policy d25edb51-07fb-4a73-97d4-41cecdc53a22 |
Terraform | Medium | Access Control | Glue policy should avoid wildcard in 'principals' and 'actions' | Documentation |
| Public and Private EC2 Share Role c53c7a89-f9d7-4c7b-8b66-8a555be99593 |
Terraform | Medium | Access Control | Public and private EC2 istances should not share the same role. | Documentation |
| User With Privilege Escalation By Actions 'iam:PutRolePolicy' eeb4d37a-3c59-4789-a00c-1509bc3af1e5 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' 7d544dad-8a6c-431c-84c1-5f07fe9afc0e |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:CreatePolicyVersion' 1743f5f1-0bb0-4934-acef-c80baa5dadfa |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' b69247e5-7e73-464e-ba74-ec9b715c6e12 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'iam:AttachUserPolicy' 7c96920c-6fd0-449d-9a52-0aa431b6beaf |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| SQS Policy With Public Access 730675f9-52ed-49b6-8ead-0acb5dd7df7f |
Terraform | Medium | Access Control | Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue | Documentation |
| IAM Role Policy passRole Allows All e39bee8c-fe54-4a3f-824d-e5e2d1cca40a |
Terraform | Medium | Access Control | Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources | Documentation |
| Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' 78f1ec6f-5659-41ea-bd48-d0a142dce4f2 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' 15e6ad8c-f420-49a6-bafb-074f5eb1ec74 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Public Lambda via API Gateway 3ef8696c-e4ae-4872-92c7-520bb44dfe77 |
Terraform | Medium | Access Control | Allowing to run lambda function using public API Gateway | Documentation |
| Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' 034d0aee-620f-4bf7-b7fb-efdf661fdb9e |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' 04c686f1-e0cd-4812-88e1-4e038410074c |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' 89561b03-cb35-44a9-a7e9-8356e71606f4 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' 43a41523-386a-4cb1-becb-42af6b414433 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' 3dd96caa-0b5f-4a85-b929-acfac4646cc2 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' 30b88745-eebe-4ecb-a3a9-5cf886e96204 |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| S3 Bucket Allows Public ACL d0cc8694-fcad-43ff-ac86-32331d7e867f |
Terraform | Medium | Access Control | S3 bucket allows public ACL | Documentation |
| IAM Access Key Is Exposed 7081f85c-b94d-40fd-8b45-a4f1cac75e46 |
Terraform | Medium | Access Control | Check if IAM Access Key is active for some user besides 'root' | Documentation |
| Role With Privilege Escalation By Actions 'iam:AddUserToGroup' b8a31292-509d-4b61-bc40-13b167db7e9c |
Terraform | Medium | Access Control | Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' 6d23d87e-1c5b-4308-b224-92624300f29b |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Certificate Has Expired c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6 |
Terraform | Medium | Access Control | Expired SSL/TLS certificates should be removed | Documentation |
| Lambda Permission Principal Is Wildcard e08ed7eb-f3ef-494d-9d22-2e3db756a347 |
Terraform | Medium | Access Control | Lambda Permission Principal should not contain a wildcard. | Documentation |
| Policy Without Principal bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54 |
Terraform | Medium | Access Control | All policies, except IAM identity-based policies, should have the 'Principal' element defined | Documentation |
| Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' 70b42736-efee-4bce-80d5-50358ed94990 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Group With Privilege Escalation By Actions 'iam:CreateAccessKey' 846646e3-2af1-428c-ac5d-271eccfa6faf |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| AMI Shared With Multiple Accounts ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698 |
Terraform | Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image | Documentation |
| SES Policy With Allowed IAM Actions 34b921bd-90a0-402e-a0a5-dc73371fd963 |
Terraform | Medium | Access Control | SES policy should not allow IAM actions to all principals | Documentation |
| IAM Policies Attached To User b4378389-a9aa-44ee-91e7-ef183f11079e |
Terraform | Medium | Access Control | IAM policies should be attached only to groups or roles | Documentation |
| Group With Privilege Escalation By Actions 'iam:PutRolePolicy' c0c1e744-0f37-445e-924a-1846f0839f69 |
Terraform | Medium | Access Control | Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' 33627268-1445-4385-988a-318fd9d1a512 |
Terraform | Medium | Access Control | User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. | Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA 09c35abf-5852-4622-ac7a-b987b331232e |
Terraform | Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access | Documentation |
| ElastiCache Nodes Not Created Across Multi AZ 6db03a91-f933-4f13-ab38-a8b87a7de54d |
Terraform | Medium | Availability | ElastiCache Nodes should have 'az_mode' set to 'cross-az' in in multi nodes cluster | Documentation |
| CMK Is Unusable 7350fa23-dcf7-4938-916d-6a60b0c73b50 |
Terraform | Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true | Documentation |
| Auto Scaling Group With No Associated ELB 8e94dced-9bcc-4203-8eb7-7e41202b2505 |
Terraform | Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. | Documentation |
| ECS Service Without Running Tasks 91f16d09-689e-4926-aca7-155157f634ed |
Terraform | Medium | Availability | ECS Service should have at least 1 task running | Documentation |
| ElastiCache Redis Cluster Without Backup 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab |
Terraform | Medium | Backup | ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 | Documentation |
| Stack Retention Disabled 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97 |
Terraform | Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
| RDS With Backup Disabled 1dc73fb4-5b51-430c-8c5f-25dcf9090b02 |
Terraform | Medium | Backup | Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup | Documentation |
| IAM Password Without Symbol 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48 |
Terraform | Medium | Best Practices | IAM password should have the required symbols | Documentation |
| ALB Not Dropping Invalid Headers 6e3fd2ed-5c83-4c68-9679-7700d224d379 |
Terraform | Medium | Best Practices | It's considered a best practice when using Application Load Balancers to drop invalid header fields | Documentation |
| Cognito UserPool Without MFA ec28bf61-a474-4dbe-b414-6dd3a067d6f0 |
Terraform | Medium | Best Practices | AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users | Documentation |
| Misconfigured Password Policy Expiration ce60d060-efb8-4bfd-9cf7-ff8945d00d90 |
Terraform | Medium | Best Practices | No password expiration policy | Documentation |
| RDS Cluster With Backup Disabled e542bd46-58c4-4e0f-a52a-1fb4f9548e02 |
Terraform | Medium | Best Practices | RDS Cluster backup retention period should be specifically defined | Documentation |
| IAM Password Without Lowercase Letter bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9 |
Terraform | Medium | Best Practices | IAM Password should have at least one lowercase letter | Documentation |
| Password Without Reuse Prevention 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a |
Terraform | Medium | Best Practices | Check if IAM account password has the reuse password configured with 24 | Documentation |
| IAM Password Without Uppercase Letter c5ff7bc9-d8ea-46dd-81cb-8286f3222249 |
Terraform | Medium | Best Practices | IAM password should have at least one uppercase letter | Documentation |
| IAM Password Without Minimum Length 1bc1c685-e593-450e-88fb-19db4c82aa1d |
Terraform | Medium | Best Practices | IAM password should have the required minimum length | Documentation |
| Stack Without Template 91bea7b8-0c31-4863-adc9-93f6177266c4 |
Terraform | Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body | Documentation |
| API Gateway With Invalid Compression ed35928e-195c-4405-a252-98ccb664ab7b |
Terraform | Medium | Encryption | API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. | Documentation |
| Unscanned ECR Image 9630336b-3fed-4096-8173-b9afdfe346a7 |
Terraform | Medium | Encryption | Checks if the ECR Image has been scanned | Documentation |
| S3 Bucket Policy Accepts HTTP Requests 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9 |
Terraform | Medium | Encryption | S3 Bucket policy should not accept HTTP Requests | Documentation |
| AmazonMQ Broker Encryption Disabled 3db3f534-e3a3-487f-88c7-0a9fbf64b702 |
Terraform | Medium | Encryption | AmazonMQ Broker should have Encryption Options defined | Documentation |
| ElasticSearch Not Encrypted At Rest 24e16922-4330-4e9d-be8a-caa90299466a |
Terraform | Medium | Encryption | Check if ElasticSearch encryption is disabled at Rest | Documentation |
| DynamoDB Table Not Encrypted ce089fd4-1406-47bd-8aad-c259772bb294 |
Terraform | Medium | Encryption | AWS DynamoDB Tables should have server-side encryption | Documentation |
| Elasticsearch Domain Not Encrypted Node To Node 967eb3e6-26fc-497d-8895-6428beb6e8e2 |
Terraform | Medium | Encryption | Elasticsearch Domain encryption should be enabled node to node | Documentation |
| Secretsmanager Secret Encrypted With AWS Managed Key b0d3ef3f-845d-4b1b-83d6-63a5a380375f |
Terraform | Medium | Encryption | Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| Neptune Database Cluster Encryption Disabled 98d59056-f745-4ef5-8613-32bca8d40b7e |
Terraform | Medium | Encryption | Neptune database cluster storage should have encryption enabled | Documentation |
| Memcached Disabled 4bd15dd9-8d5e-4008-8532-27eb0c3706d3 |
Terraform | Medium | Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
| SNS Topic Not Encrypted 28545147-2fc6-42d5-a1f9-cf226658e591 |
Terraform | Medium | Encryption | SNS (Simple Notification Service) Topic should be encrypted | Documentation |
| EBS Volume Encryption Disabled cc997676-481b-4e93-aa81-d19f8c5e9b12 |
Terraform | Medium | Encryption | EBS volumes should be encrypted | Documentation |
| Secretsmanager Secret Without KMS a2f548f2-188c-4fff-b172-e9a6acb216bd |
Terraform | Medium | Encryption | AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret | Documentation |
| DOCDB Cluster Encrypted With AWS Managed Key 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d |
Terraform | Medium | Encryption | DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| Config Rule For Encrypted Volumes Disabled abdb29d4-5ca1-4e91-800b-b3569bbd788c |
Terraform | Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
| ElastiCache Replication Group Not Encrypted At Transit 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e |
Terraform | Medium | Encryption | ElastiCache Replication Group encryption should be enabled at Transit | Documentation |
| SSM Session Transit Encryption Disabled ce60cc6b-6831-4bd7-84a2-cc7f8ee71433 |
Terraform | Medium | Encryption | SSM Session should be encrypted in transit | Documentation |
| ElasticSearch Encryption With KMS Disabled 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2 |
Terraform | Medium | Encryption | Check if any ElasticSearch domain isn't encrypted with KMS. | Documentation |
| ElastiCache Replication Group Not Encrypted At Rest 76976de7-c7b1-4f64-a94f-90c1345914c2 |
Terraform | Medium | Encryption | ElastiCache Replication Group encryption should be enabled at Rest | Documentation |
| SNS Topic Encrypted With AWS Managed Key b1a72f66-2236-4f3b-87ba-0da1b366956f |
Terraform | Medium | Encryption | SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| SQS With SSE Disabled 6e8849c1-3aa7-40e3-9063-b85ee300f29f |
Terraform | Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) | Documentation |
| ECR Image Tag Not Immutable d1846b12-20c5-4d45-8798-fc35b79268eb |
Terraform | Medium | Insecure Configurations | ECR should have an image tag be immutable. This prevents image tags from being overwritten. | Documentation |
| EKS Cluster Has Public Access 42f4b905-3736-4213-bfe9-c0660518cda8 |
Terraform | Medium | Insecure Configurations | Amazon EKS public endpoint shoud be set to false | Documentation |
| AWS Password Policy With Unchangeable Passwords 9ef7d25d-9764-4224-9968-fa321c56ef76 |
Terraform | Medium | Insecure Configurations | Unchangeable passwords in AWS password policy | Documentation |
| MQ Broker Is Publicly Accessible 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb |
Terraform | Medium | Insecure Configurations | Check if any MQ Broker is not publicly accessible | Documentation |
| Redshift Cluster Without VPC 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3 |
Terraform | Medium | Insecure Configurations | Redshift Cluster should be configured in VPC (Virtual Private Cloud) | Documentation |
| IAM User Has Too Many Access Keys 3561130e-9c5f-485b-9e16-2764c82763e5 |
Terraform | Medium | Insecure Configurations | Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials | Documentation |
| API Gateway With Open Access 15ccec05-5476-4890-ad19-53991eba1db8 |
Terraform | Medium | Insecure Configurations | API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. | Documentation |
| API Gateway Without SSL Certificate 0b4869fc-a842-4597-aa00-1294df425440 |
Terraform | Medium | Insecure Configurations | SSL Client Certificate should be enabled | Documentation |
| Certificate RSA Key Bytes Lower Than 256 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b |
Terraform | Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes | Documentation |
| Service Control Policies Disabled 5ba6229c-8057-433e-91d0-21cf13569ca9 |
Terraform | Medium | Insecure Configurations | Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). | Documentation |
| Instance With No VPC a31a5a29-718a-4ff4-8001-a69e5e4d029e |
Terraform | Medium | Insecure Configurations | EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | Documentation |
| SQS VPC Endpoint Without DNS Resolution e9b7acf9-9ba0-4837-a744-31e7df1e434d |
Terraform | Medium | Networking and Firewall | SQS VPC Endpoint should have DNS resolution enabled | Documentation |
| VPC Subnet Assigns Public IP 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c |
Terraform | Medium | Networking and Firewall | VPC Subnet should not assign public IP | Documentation |
| Sensitive Port Is Exposed To Wide Private Network 92fe237e-074c-4262-81a4-2077acb928c1 |
Terraform | Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol | Documentation |
| VPC Without Network Firewall fd632aaf-b8a1-424d-a4d1-0de22fd3247a |
Terraform | Medium | Networking and Firewall | VPC should have a Network Firewall associated | Documentation |
| API Gateway Endpoint Config is Not Private 6b2739db-9c49-4db7-b980-7816e0c248c1 |
Terraform | Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet | Documentation |
| Sensitive Port Is Exposed To Small Public Network e35c16a2-d54e-419d-8546-a804d8e024d0 |
Terraform | Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol | Documentation |
| API Gateway without WAF a186e82c-1078-4a7b-85d8-579561fde884 |
Terraform | Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled | Documentation |
| SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 54c417bf-c762-48b9-9d31-b3d87047e3f0 |
Terraform | Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. | Documentation |
| ALB Is Not Integrated With WAF 0afa6ab8-a047-48cf-be07-93a2f8c34cf7 |
Terraform | Medium | Networking and Firewall | All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service | Documentation |
| Dynamodb VPC Endpoint Without Route Table Association 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d |
Terraform | Medium | Networking and Firewall | Dynamodb VPC Endpoint should be associated with Route Table Association | Documentation |
| API Gateway Access Logging Disabled 1b6799eb-4a7a-4b04-9001-8cceb9999326 |
Terraform | Medium | Observability | API Gateway should have Access Log Settings defined | Documentation |
| API Gateway With CloudWatch Logging Disabled 982aa526-6970-4c59-8b9b-2ce7e019fe36 |
Terraform | Medium | Observability | AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation | Documentation |
| API Gateway Deployment Without Access Log Setting 625abc0e-f980-4ac9-a775-f7519ee34296 |
Terraform | Medium | Observability | API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. | Documentation |
| Elasticsearch Log is disabled acb6b4e2-a086-4f35-aefd-4db6ea51ada2 |
Terraform | Medium | Observability | AWS Elasticsearch should have logs enabled | Documentation |
| CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing 56a585f5-555c-48b2-8395-e64e4740a9cf |
Terraform | Medium | Observability | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK | Documentation |
| Cloudwatch Cloudtrail Configuration Changes Alarm Missing 0f6cbf69-41bb-47dc-93f3-3844640bf480 |
Terraform | Medium | Observability | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Documentation |
| Default VPC Exists 96ed3526-0179-4c73-b1b2-372fde2e0d13 |
Terraform | Medium | Observability | It isn't recommended to use resources in default VPC | Documentation |
| S3 Bucket Object Level CloudTrail Logging Disabled a8fc2180-b3ac-4c93-bd0d-a55b974e4b07 |
Terraform | Medium | Observability | S3 Bucket object-level CloudTrail logging should be enabled for read and write events | Documentation |
| S3 Bucket Without Versioning 568a4d22-3517-44a6-a7ad-6a7eed88722c |
Terraform | Medium | Observability | S3 bucket should have versioning enabled | Documentation |
| CloudWatch S3 policy Change Alarm Missing 27c6a499-895a-4dc7-9617-5c485218db13 |
Terraform | Medium | Observability | Ensure a log metric filter and alarm exist for S3 bucket policy changes | Documentation |
| CloudWatch Metrics Disabled 081069cb-588b-4ce1-884c-2a1ce3029fe5 |
Terraform | Medium | Observability | Checks if CloudWatch Metrics is Enabled | Documentation |
| ElasticSearch Without Slow Logs e979fcbc-df6c-422d-9458-c33d65e71c45 |
Terraform | Medium | Observability | Ensure that AWS Elasticsearch enables support for slow logs | Documentation |
| CloudTrail Not Integrated With CloudWatch 17b30f8f-8dfb-4597-adf6-57600b6cf25e |
Terraform | Medium | Observability | CloudTrail should be integrated with CloudWatch | Documentation |
| GuardDuty Detector Disabled 704dadd3-54fc-48ac-b6a0-02f170011473 |
Terraform | Medium | Observability | Make sure that Amazon GuardDuty is Enabled | Documentation |
| MQ Broker Logging Disabled 31245f98-a6a9-4182-9fc1-45482b9d030a |
Terraform | Medium | Observability | Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). | Documentation |
| MSK Cluster Logging Disabled 2f56b7ab-7fba-4e93-82f0-247e5ddeb239 |
Terraform | Medium | Observability | Ensure MSK Cluster Logging is enabled | Documentation |
| CloudTrail SNS Topic Name Undefined 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd |
Terraform | Medium | Observability | Check if SNS topic name is set for CloudTrail | Documentation |
| Cloudwatch Security Group Changes Alarm Missing 4beaf898-9f8b-4237-89e2-5ffdc7ee6006 |
Terraform | Medium | Observability | Ensure a log metric filter and alarm exist for security group changes | Documentation |
| CloudFront Logging Disabled 94690d79-b3b0-43de-b656-84ebef5753e5 |
Terraform | Medium | Observability | AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined | Documentation |
| API Gateway X-Ray Disabled 5813ef56-fa94-406a-b35d-977d4a56ff2b |
Terraform | Medium | Observability | API Gateway should have X-Ray Tracing enabled | Documentation |
| CloudWatch Management Console Auth Failed Alarm Missing 5864d189-ee9a-4009-ac0c-8a582e6b7919 |
Terraform | Medium | Observability | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | Documentation |
| Redshift Cluster Logging Disabled 15ffbacc-fa42-4f6f-a57d-2feac7365caa |
Terraform | Medium | Observability | Make sure Logging is enabled for Redshift Cluster | Documentation |
| CloudTrail Multi Region Disabled 8173d5eb-96b5-4aa6-a71b-ecfa153c123d |
Terraform | Medium | Observability | CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled | Documentation |
| CloudWatch Without Retention Period Specified ef0b316a-211e-42f1-888e-64efe172b755 |
Terraform | Medium | Observability | AWS CloudWatch Log groups should have retention days specified | Documentation |
| CloudWatch AWS Organizations Changes Missing Alarm 38b85c45-e772-4de8-a247-69619ca137b3 |
Terraform | Medium | Observability | Ensure a log metric filter and alarm exist for AWS organizations changes | Documentation |
| ELB Access Log Disabled 20018359-6fd7-4d05-ab26-d4dffccbdf79 |
Terraform | Medium | Observability | ELB should have logging enabled to help on error investigation | Documentation |
| Stack Notifications Disabled b72d0026-f649-4c91-a9ea-15d8f681ac09 |
Terraform | Medium | Observability | AWS CloudFormation should have stack notifications enabled to be notified when an event occurs | Documentation |
| CloudWatch Logging Disabled 7dbba512-e244-42dc-98bb-422339827967 |
Terraform | Medium | Observability | Check if CloudWatch logging is disabled for Route53 hosted zones | Documentation |
| S3 Bucket Logging Disabled f861041c-8c9f-4156-acfc-5e6e524f5884 |
Terraform | Medium | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable | Documentation |
| No Stack Policy 2f01fb2d-828a-499d-b98e-b83747305052 |
Terraform | Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions | Documentation |
| Hardcoded AWS Access Key d7b9d850-3e06-4a75-852f-c46c2e92240b |
Terraform | Medium | Secret Management | AWS Access Key should not be hardcoded | Documentation |
| Hardcoded AWS Access Key In Lambda 1402afd8-a95c-4e84-8b0b-6fb43758e6ce |
Terraform | Medium | Secret Management | Lambda access/secret keys should not be hardcoded | Documentation |
| IAM Group Without Users fc101ca7-c9dd-4198-a1eb-0fbe92e80044 |
Terraform | Low | Access Control | IAM Group should have at least one user associated | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services bcdcbdc6-a350-4855-ae7c-d1e6436f7c97 |
Terraform | Low | Access Control | IAM Policy should not grant 'AssumeRole' permission across all services. | Documentation |
| S3 Bucket Public ACL Overridden By Public Access Block bf878b1a-7418-4de3-b13c-3a86cf894920 |
Terraform | Low | Access Control | S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' | Documentation |
| IAM Role Allows All Principals To Assume 12b7e704-37f0-4d1e-911a-44bf60c48c21 |
Terraform | Low | Access Control | IAM role allows all services or principals to assume it | Documentation |
| EC2 Instance Using API Keys 0b93729a-d882-4803-bdc3-ac429a21f158 |
Terraform | Low | Access Control | EC2 instances should use roles to be granted access to other AWS services | Documentation |
| EC2 Instance Using Default Security Group f1adc521-f79a-4d71-b55b-a68294687432 |
Terraform | Low | Access Control | EC2 instances should not use default security group(s) | Documentation |
| Autoscaling Groups Supply Tags ba48df05-eaa1-4d64-905e-4a4b051e7587 |
Terraform | Low | Availability | Autoscaling groups should supply tags to configurate | Documentation |
| IAM Access Analyzer Not Enabled e592a0c5-5bdb-414c-9066-5dba7cdea370 |
Terraform | Low | Best Practices | IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions | Documentation |
| ECR Repository Without Policy 69e7c320-b65d-41bb-be02-d63ecc0bcc9d |
Terraform | Low | Best Practices | ECR Repository should have Policies attached to it | Documentation |
| CDN Configuration Is Missing 1bc367f6-901d-4870-ad0c-71d79762ef52 |
Terraform | Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. | Documentation |
| Lambda Permission Misconfigured 75ec6890-83af-4bf1-9f16-e83726df0bd0 |
Terraform | Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
| Automatic Minor Upgrades Disabled 3b6d777b-76e3-4133-80a3-0d6f667ade7f |
Terraform | Low | Best Practices | RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. | Documentation |
| Lambda IAM InvokeFunction Misconfigured 0ca1017d-3b80-423e-bb9c-6cd5898d34bd |
Terraform | Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
| ECR Repository Not Encrypted With CMK 0e32d561-4b5a-4664-a6e3-a3fa85649157 |
Terraform | Low | Encryption | ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation | Documentation |
| S3 Bucket Without Ignore Public ACL 4fa66806-0dd9-4f8d-9480-3174d39c7c91 |
Terraform | Low | Insecure Configurations | S3 bucket without ignore public ACL | Documentation |
| ALB Deletion Protection Disabled afecd1f1-6378-4f7e-bb3b-60c35801fdd4 |
Terraform | Low | Insecure Configurations | Application Load Balancer should have deletion protection enabled | Documentation |
| RDS Using Default Port bca7cc4d-b3a4-4345-9461-eb69c68fcd26 |
Terraform | Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 | Documentation |
| ElastiCache Without VPC 8c849af7-a399-46f7-a34c-32d3dc96f1fc |
Terraform | Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) | Documentation |
| ElastiCache Using Default Port 5d89db57-8b51-4b38-bb76-b9bd42bd40f0 |
Terraform | Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 | Documentation |
| EC2 Instance Using Default VPC 7e4a6e76-568d-43ef-8c4e-36dea481bff1 |
Terraform | Low | Networking and Firewall | EC2 Instances should not be configured under a default VPC network | Documentation |
| CloudFront Without WAF 1419b4c6-6d5c-4534-9cf6-6a5266085333 |
Terraform | Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
| EMR Without VPC 2b3c8a6d-9856-43e6-ab1d-d651094f03b4 |
Terraform | Low | Networking and Firewall | Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) | Documentation |
| Redshift Using Default Port 41abc6cc-dde1-4217-83d3-fb5f0cc09d8f |
Terraform | Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port | Documentation |
| Shield Advanced Not In Use 084c6686-2a70-4710-91b1-000393e54c12 |
Terraform | Low | Networking and Firewall | AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks | Documentation |
| Missing Cluster Log Types 66f130d9-b81d-4e8e-9b08-da74b9c891df |
Terraform | Low | Observability | Amazon EKS control plane logging don't enabled for all log types | Documentation |
| CloudWatch Network Gateways Changes Alarm Missing 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e |
Terraform | Low | Observability | Ensure a log metric filter and alarm exist for network gateways changes | Documentation |
| EKS cluster logging is not enabled 37304d3f-f852-40b8-ae3f-725e87a7cedf |
Terraform | Low | Observability | Amazon EKS control plane logging is not enabled | Documentation |
| ECS Cluster with Container Insights Disabled 97cb0688-369a-4d26-b1f7-86c4c91231bc |
Terraform | Low | Observability | ECS Cluster should enable container insights | Documentation |
| Lambda Functions Without X-Ray Tracing 8152e0cf-d2f0-47ad-96d5-d003a76eabd1 |
Terraform | Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' | Documentation |
| CloudWatch VPC Changes Alarm Missing 9d0d4512-1959-43a2-a17f-72360ff06d1b |
Terraform | Low | Observability | Ensure a log metric filter and alarm exist for VPC changes | Documentation |
| CloudTrail Log File Validation Disabled 52ffcfa6-6c70-4ea6-8376-d828d3961669 |
Terraform | Low | Observability | CloudTrail log file validation should be enabled to determine whether a log file has not been tampered | Documentation |
| CloudWatch Route Table Changes Alarm Missing 2285e608-ddbc-47f3-ba54-ce7121e31216 |
Terraform | Low | Observability | Ensure a log metric filter and alarm exist for route table changes | Documentation |
| Global Accelerator Flow Logs Disabled 96e8183b-e985-457b-90cd-61c0503a3369 |
Terraform | Low | Observability | Global Accelerator should have flow logs enabled | Documentation |
| CloudWatch AWS Config Configuration Changes Alarm Missing 5b8d7527-de8e-4114-b9dd-9d988f1f418f |
Terraform | Low | Observability | Ensure a log metric filter and alarm exist for AWS Config configuration changes | Documentation |
| API Gateway Deployment Without API Gateway UsagePlan Associated b3a59b8e-94a3-403e-b6e2-527abaf12034 |
Terraform | Low | Observability | API Gateway Deployment should have API Gateway UsagePlan defined and associated. | Documentation |
| CloudWatch Changes To NACL Alarm Missing 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0 |
Terraform | Low | Observability | Ensure a log metric filter and alarm exist for changes to NACL | Documentation |
| CloudTrail Log Files Not Encrypted With KMS 5d9e3164-9265-470c-9a10-57ae454ac0c7 |
Terraform | Low | Observability | Logs delivered by CloudTrail should be encrypted using KMS | Documentation |
| VPC FlowLogs Disabled f83121ea-03da-434f-9277-9cd247ab3047 |
Terraform | Low | Observability | Every VPC resource should have an associated Flow Log | Documentation |
| DocDB Logging Is Disabled 56f6a008-1b14-4af4-b9b2-ab7cf7e27641 |
Terraform | Low | Observability | DocDB logging should be enabled | Documentation |
| API Gateway Stage Without API Gateway UsagePlan Associated c999cf62-0920-40f8-8dda-0caccd66ed7e |
Terraform | Low | Resource Management | API Gateway Stage should have API Gateway UsagePlan defined and associated. | Documentation |
| Security Group Not Used 4849211b-ac39-479e-ae78-5694d506cb24 |
Terraform | Info | Access Control | Security group must be used or not declared | Documentation |
| Security Group Rule Without Description 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e |
Terraform | Info | Best Practices | It's considered a best practice for all rules in AWS Security Group to have a description | Documentation |
| Resource Not Using Tags e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10 |
Terraform | Info | Best Practices | AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' | Documentation |
| Security Group Rule Without Description cb3f5ed6-0d18-40de-a93d-b3538db31e8c |
Terraform | Info | Best Practices | It's considered a best practice for AWS Security Group to have a description | Documentation |
| DynamoDB Table Point In Time Recovery Disabled 741f1291-47ac-4a85-a07b-3d32a9d6bd3e |
Terraform | Info | Best Practices | It's considered a best practice to have point in time recovery enabled for DynamoDB Table | Documentation |
| EC2 Not EBS Optimized 60224630-175a-472a-9e23-133827040766 |
Terraform | Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance | Documentation |
| RDS Without Logging 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56 |
Terraform | Info | Observability | RDS does not have any kind of logger | Documentation |
| EC2 Instance Monitoring Disabled 23b70e32-032e-4fa6-ba5c-82f56b9980e6 |
Terraform | Info | Observability | EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods | Documentation |
| Neptune Logging Is Disabled 45cff7b6-3b80-40c1-ba7b-2cf480678bb8 |
Terraform | Info | Observability | Neptune logging should be enabled | Documentation |
| Generic Git Module Without Revision 3a81fc06-566f-492a-91dd-7448e409e2cd |
Terraform | Info | Best Practices | All generic git repositories should reference a revision. | Documentation |
| Variable Without Description 2a153952-2544-4687-bcc9-cc8fea814a9b |
Terraform | Info | Best Practices | All variables should contain a valid description. | Documentation |
| Name Is Not Snake Case 1e434b25-8763-4b00-a5ca-ca03b7abbb66 |
Terraform | Info | Best Practices | All names should follow snake case pattern. | Documentation |
| Variable Without Type fc5109bf-01fd-49fb-8bde-4492b543c34a |
Terraform | Info | Best Practices | All variables should contain a valid type. | Documentation |
| Output Without Description 59312e8a-a64e-41e7-a252-618533dd1ea8 |
Terraform | Info | Best Practices | All outputs should contain a valid description. | Documentation |
| VM With Full Cloud Access bc280331-27b9-4acb-a010-018e8098aa5d |
Terraform | High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs | Documentation |
| Cloud Storage Anonymous or Publicly Accessible a6cd52a1-3056-4910-96a5-894de9f3f3b3 |
Terraform | High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' | Documentation |
| OSLogin Disabled 32ecd6eb-0711-421f-9627-1a28d9eff217 |
Terraform | High | Access Control | Verifies that the OSLogin is enabled | Documentation |
| BigQuery Dataset Is Public e576ce44-dd03-4022-a8c0-3906acca2ab4 |
Terraform | High | Access Control | BigQuery dataset is anonymously or publicly accessible | Documentation |
| Cloud Storage Bucket Is Publicly Accessible c010082c-76e0-4b91-91d9-6e8439e455dd |
Terraform | High | Access Control | Cloud Storage Bucket is anonymously or publicly accessible | Documentation |
| SQL DB Instance Backup Disabled cf3c7631-cd1e-42f3-8801-a561214a6e79 |
Terraform | High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| KMS Crypto Key is Publicly Accessible 16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5 |
Terraform | High | Encryption | KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' | Documentation |
| SQL DB Instance With SSL Disabled 02474449-71aa-40a1-87ae-e14497747b00 |
Terraform | High | Encryption | Cloud SQL Database Instance should have SLL enabled | Documentation |
| DNSSEC Using RSASHA1 ccc3100c-0fdd-4a5e-9908-c10107291860 |
Terraform | High | Encryption | DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. | Documentation |
| IP Aliasing Disabled c606ba1d-d736-43eb-ac24-e16108f3a9e0 |
Terraform | High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE | Documentation |
| Cluster Master Authentication Disabled 1baba08e-3c8a-4be7-95eb-dced5833de21 |
Terraform | High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| Pod Security Policy Disabled 9192e0f9-eca5-4056-9282-ae2a736a4088 |
Terraform | High | Insecure Configurations | Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true | Documentation |
| Cluster Labels Disabled 65c1bc7a-4835-4ac4-a2b6-13d310b0648d |
Terraform | High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined | Documentation |
| Private Cluster Disabled 6ccb85d7-0420-4907-9380-50313f80946b |
Terraform | High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true | Documentation |
| SQL DB Instance Publicly Accessible b187edca-b81e-4fdc-aff4-aab57db45edb |
Terraform | High | Insecure Configurations | Cloud SQL instances should not be publicly accessible. | Documentation |
| Network Policy Disabled 11e7550e-c4b6-472e-adff-c698f157cdd7 |
Terraform | High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false | Documentation |
| GKE Legacy Authorization Enabled 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067 |
Terraform | High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true | Documentation |
| Client Certificate Disabled 73fb21a1-b19a-45b1-b648-b47b1678681e |
Terraform | High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true | Documentation |
| GKE Basic Authentication Enabled 70cdf849-b7d9-4569-b87d-5d82ffd44719 |
Terraform | High | Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty | Documentation |
| Not Proper Email Account In Use 9356962e-4a4f-4d06-ac59-dc8008775eaa |
Terraform | High | Insecure Configurations | Gmail accounts are being used instead of corporate credentials | Documentation |
| Stackdriver Logging Disabled 4c7ebcb2-eae2-461e-bc83-456ee2d4f694 |
Terraform | High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' | Documentation |
| IAM Audit Not Properly Configured 89fe890f-b480-460c-8b6b-7d8b1468adb4 |
Terraform | High | Observability | Audit Logging Configuration is defective | Documentation |
| Cloud Storage Bucket Versioning Disabled e7e961ac-d17e-4413-84bc-8a1fbe242944 |
Terraform | High | Observability | Cloud Storage Bucket should have versioning enabled | Documentation |
| Stackdriver Monitoring Disabled 30e8dfd2-3591-4d19-8d11-79e93106c93d |
Terraform | High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' | Documentation |
| Cloud Storage Bucket Logging Not Enabled d6cabc3a-d57e-48c2-b341-bf3dd4f4a120 |
Terraform | High | Observability | Cloud storage bucket should have logging enabled | Documentation |
| Node Auto Upgrade Disabled b139213e-7d24-49c2-8025-c18faa21ecaa |
Terraform | High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters | Documentation |
| Google Project IAM Member Service Account has Token Creator or Account User Role c68b4e6d-4e01-4ca1-b256-1e18e875785c |
Terraform | Medium | Access Control | Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated | Documentation |
| Google Project IAM Binding Service Account has Token Creator or Account User Role 617ef6ff-711e-4bd7-94ae-e965911b1b40 |
Terraform | Medium | Access Control | Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated | Documentation |
| KMS Admin and CryptoKey Roles In Use 92e4464a-4139-4d57-8742-b5acc0347680 |
Terraform | Medium | Access Control | Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member | Documentation |
| Google Project IAM Member Service Account Has Admin Role 84d36481-fd63-48cb-838e-635c44806ec2 |
Terraform | Medium | Access Control | Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated | Documentation |
| Google Compute SSL Policy Weak Cipher In Use 14a457f0-473d-4d1d-9e37-6d99b355b336 |
Terraform | Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
| Disk Encryption Disabled b1d51728-7270-4991-ac2f-fc26e2695b38 |
Terraform | Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined | Documentation |
| Google Storage Bucket Level Access Disabled bb0db090-5509-4853-a827-75ced0b3caa0 |
Terraform | Medium | Insecure Configurations | Google Storage Bucket Level Access should be enabled | Documentation |
| COS Node Image Not Used 8a893e46-e267-485a-8690-51f39951de58 |
Terraform | Medium | Insecure Configurations | The node image should be Container-Optimized OS(COS) | Documentation |
| OSLogin Is Disabled For VM Instance d0b4d550-c001-46c3-bbdb-d5d75d33f05f |
Terraform | Medium | Insecure Configurations | Check if any VM instance disables OSLogin | Documentation |
| Google Project Auto Create Network Disabled 59571246-3f62-4965-a96f-c7d97e269351 |
Terraform | Medium | Insecure Configurations | Verifies if the Google Project Auto Create Network is Disabled | Documentation |
| Shielded VM Disabled 1b44e234-3d73-41a8-9954-0b154135280e |
Terraform | Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true | Documentation |
| Cloud DNS Without DNSSEC 5ef61c88-bbb4-4725-b1df-55d23c9676bb |
Terraform | Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
| Serial Ports Are Enabled For VM Instances 97fa667a-d05b-4f16-9071-58b939f34751 |
Terraform | Medium | Insecure Configurations | Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone | Documentation |
| Google Container Node Pool Auto Repair Disabled acfdbec6-4a17-471f-b412-169d77553332 |
Terraform | Medium | Insecure Configurations | Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. | Documentation |
| GKE Using Default Service Account 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38 |
Terraform | Medium | Insecure Defaults | Kubernetes Engine Clusters should not be configured to use the default service account | Documentation |
| Using Default Service Account 3cb4af0b-056d-4fb1-8b95-fdc4593625ff |
Terraform | Medium | Insecure Defaults | Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. | Documentation |
| SSH Access Is Not Restricted c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0 |
Terraform | Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges | Documentation |
| Google Compute Network Using Default Firewall Rule 40abce54-95b1-478c-8e5f-ea0bf0bb0e33 |
Terraform | Medium | Networking and Firewall | Google Compute Network should not use default firewall rule | Documentation |
| RDP Access Is Not Restricted 678fd659-96f2-454a-a2a0-c2571f83a4a3 |
Terraform | Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 | Documentation |
| IP Forwarding Enabled f34c0c25-47b4-41eb-9c79-249b4dd47b89 |
Terraform | Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true | Documentation |
| Google Compute Network Using Firewall Rule that Allows All Ports 22ef1d26-80f8-4a6c-8c15-f35aab3cac78 |
Terraform | Medium | Networking and Firewall | Google Compute Network should not use a firewall rule that allows all ports | Documentation |
| Google Compute Subnetwork Logging Disabled 40430747-442d-450a-a34f-dc57149f4609 |
Terraform | Medium | Observability | This query checks if logs are enabled for a Google Compute Subnetwork resource. | Documentation |
| Service Account with Improper Privileges cefdad16-0dd5-4ac5-8ed2-a37502c78672 |
Terraform | Medium | Resource Management | Service account should not have improper privileges like admin, editor, owner, or write roles | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 3e4d5ce6-3280-4027-8010-c26eeea1ec01 |
Terraform | Medium | Secret Management | VM Instance should block project-wide SSH keys | Documentation |
| High KMS Rotation Period 352271ca-842f-408a-8b24-f6f2b76eb027 |
Terraform | Medium | Secret Management | KMS Rotation Period should be greater than 365 days. | Documentation |
| High Google KMS Crypto Key Rotation Period d8c57c4e-bf6f-4e32-a2bf-8643532de77b |
Terraform | Medium | Secret Management | Encryption keys should be changed after 90 days | Documentation |
| User with IAM Role 704fcc44-a58f-4af5-82e2-93f2a58ef918 |
Terraform | Low | Best Practices | As a best practice, it is better to assign an IAM Role to a group than to a user | Documentation |
| Google Compute Network Using Firewall Rule that Allows Port Range e6f61c37-106b-449f-a5bb-81bfcaceb8b4 |
Terraform | Low | Networking and Firewall | Google Compute Network should not use a firewall rule that allows port range | Documentation |
| Google Compute Subnetwork with Private Google Access Disabled ee7b93c1-b3f8-4a3b-9588-146d481814f5 |
Terraform | Low | Networking and Firewall | Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true | Documentation |
| Github Organization Webhook With SSL Disabled ce7c874e-1b88-450b-a5e4-cb76ada3c8a9 |
Terraform | Medium | Encryption | Check if insecure SSL is being used in the GitHub organization webhooks | Documentation |
| GitHub Repository Set To Public 15d8a7fd-465a-4d15-a868-add86552f17b |
Terraform | Medium | Insecure Configurations | Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') | Documentation |
| Serverless Role With Full Privileges 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd |
ServerlessFW | High | Access Control | Roles defined in Serverless files should not have policies granting full administrative privileges. | Documentation |
| Serverless Function Environment Variables Not Encrypted 4495bc5d-4d1e-4a26-ae92-152d18195648 |
ServerlessFW | High | Encryption | Serverless Function should encrypt environment variables | Documentation |
| Serverless API Without Content Encoding d5d1fe08-89db-440c-8725-b93223387309 |
ServerlessFW | Medium | Encryption | Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 | Documentation |
| Serverless Function Without Unique IAM Role 165aae3b-a56a-48f3-b76d-d2b5083f5b8f |
ServerlessFW | Medium | Insecure Configurations | Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks | Documentation |
| Serverless Function Without Tags f99d3482-fa8c-4f79-bad9-35212dded164 |
ServerlessFW | Medium | Insecure Configurations | Serverless Function should be have associated tags | Documentation |
| Serverless API Endpoint Config Not Private 4d424558-c6d1-453c-be98-9a7f877abd9a |
ServerlessFW | Medium | Networking and Firewall | Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet | Documentation |
| Serverless API Access Logging Setting Undefined a4d32883-aac7-42e1-b403-9415af0f3846 |
ServerlessFW | Medium | Observability | Serverless FW API should have HTTP Access Logging enabled | Documentation |
| Serverless API X-Ray Tracing Disabled 434945e5-4dfd-41b1-aba1-47075ccd9265 |
ServerlessFW | Medium | Observability | Serverless API Gateway should have X-Ray Tracing enabled | Documentation |
| Serverless Function Without Dead Letter Queue dec7bc85-d156-4f64-9a33-96ed3d9f3fed |
ServerlessFW | Low | Insecure Configurations | Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter | Documentation |
| Serverless Function Without X-Ray Tracing 0d7ef70f-e176-44e6-bdba-add3e429788d |
ServerlessFW | Low | Observability | Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' | Documentation |
| Volume Has Sensitive Host Directory 1c1325ff-831d-43a1-973e-839ae57dfcc0 |
DockerCompose | High | Build Process | Container has sensitive host directory mounted as a volume | Documentation |
| Docker Socket Mounted In Container d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b |
DockerCompose | High | Build Process | Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. | Documentation |
| Volume Mounted In Multiple Containers baa452f0-1f21-4a25-ace5-844e7a5f410d |
DockerCompose | High | Build Process | Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' | Documentation |
| Privileged Containers Enabled ae5b6871-7f45-42e0-bb4c-ab300c4d2026 |
DockerCompose | High | Resource Management | Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. | Documentation |
| No New Privileges Not Set 27fcc7d6-c49b-46e0-98f1-6c082a6a2750 |
DockerCompose | High | Resource Management | Ensuring the process does not gain any new privileges lessens the risk associated with many operations. | Documentation |
| Healthcheck Not Set 698ed579-b239-4f8f-a388-baa4bcb13ef8 |
DockerCompose | Medium | Availability | Check containers periodically to see if they are running properly. | Documentation |
| Restart Policy On Failure Not Set To 5 2fc99041-ddad-49d5-853f-e35e70a48391 |
DockerCompose | Medium | Build Process | Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS. | Documentation |
| Cgroup Not Default 4d9f44c6-2f4a-4317-9bb5-267adbea0232 |
DockerCompose | Medium | Build Process | Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. | Documentation |
| Privileged Ports Mapped In Container bc2908f3-f73c-40a9-8793-c1b7d5544f79 |
DockerCompose | Medium | Networking and Firewall | Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. | Documentation |
| Container Traffic Not Bound To Host Interface 451d79dc-0588-476a-ad03-3c7f0320abb3 |
DockerCompose | Medium | Networking and Firewall | Incoming container traffic should be bound to a specific host interface | Documentation |
| Networks Not Set ce14a68b-1668-41a0-ab7d-facd9f784742 |
DockerCompose | Medium | Networking and Firewall | Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. | Documentation |
| Shared Host IPC Namespace baa3890f-bed7-46f5-ab8f-1da8fc91c729 |
DockerCompose | Medium | Resource Management | Container should not share the host IPC namespace | Documentation |
| Default Seccomp Profile Disabled 404fde2c-bc4b-4371-9747-7054132ac953 |
DockerCompose | Medium | Resource Management | Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. | Documentation |
| Memory Not Limited bb9ac4f7-e13b-423d-a010-c74a1bfbe492 |
DockerCompose | Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory | Documentation |
| Shared Host Network Namespace 071a71ff-f868-47a4-ac0b-3c59e4ab5443 |
DockerCompose | Medium | Resource Management | Container should not share the host network namespace | Documentation |
| Shared Host User Namespace 8af7162d-6c98-482f-868e-0d33fb675ca8 |
DockerCompose | Medium | Resource Management | The host's user namespace should not be shared. | Documentation |
| Pids Limit Not Set 221e0658-cb2a-44e3-b08a-db96a341d6fa |
DockerCompose | Medium | Resource Management | 'pids_limit' should be set and different than -1 | Documentation |
| Security Opt Not Set 610e266e-6c12-4bca-9925-1ed0cd29742b |
DockerCompose | Medium | Resource Management | Attribute 'security_opt' should be defined. | Documentation |
| Host Namespace is Shared 4f31dd9f-2cc3-4751-9b53-67e4af83dac0 |
DockerCompose | Medium | Resource Management | The hosts process namespace should not be shared by containers | Documentation |
| Container Capabilities Unrestricted ce76b7d0-9e77-464d-b86f-c5c48e03e22d |
DockerCompose | Low | Resource Management | Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. | Documentation |
| Cpus Not Limited 6b610c50-99fb-4ef0-a5f3-e312fd945bc3 |
DockerCompose | Low | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |
| AKS RBAC Disabled b2418936-cd47-4ea2-8346-623c0bdb87bd |
Crossplane | Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled | Documentation |
| Redis Cache Allows Non SSL Connections 6c7cfec3-c686-4ed2-bf58-a1ec054b63fc |
Crossplane | Medium | Encryption | Redis Cache resource should not allow non-SSL connections. | Documentation |
| EFS Without KMS bdecd6db-2600-47dd-a10c-72c97cf17ae9 |
Crossplane | High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys | Documentation |
| ELB Using Weak Ciphers a507daa5-0795-4380-960b-dd7bb7c56661 |
Crossplane | High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. | Documentation |
| DB Instance Storage Not Encrypted e50eb68a-a4af-4048-8bbe-8ec324421469 |
Crossplane | High | Encryption | RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. | Documentation |
| EFS Not Encrypted 72840c35-3876-48be-900d-f21b2f0c2ea1 |
Crossplane | High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 255b0fcc-9f82-41fe-9229-01b163e3376b |
Crossplane | High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
| DB Security Group Has Public Interface dd667399-8d9d-4a8d-bbb4-e49ab53b2f52 |
Crossplane | High | Insecure Configurations | The CIDR IP should not be a public interface | Documentation |
| Neptune Database Cluster Encryption Disabled 83bf5aca-138a-498e-b9cd-ad5bc5e117b4 |
Crossplane | Medium | Encryption | Neptune database cluster storage should have encryption enabled | Documentation |
| SQS with SSE disabled 9296f1cc-7a40-45de-bd41-f31745488a0e |
Crossplane | Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) | Documentation |
| CloudFront Logging Disabled 7b590235-1ff4-421b-b9ff-5227134be9bb |
Crossplane | Medium | Observability | AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true | Documentation |
| CloudWatch Without Retention Period Specified 934613fe-b12c-4e5a-95f5-c1dcdffac1ff |
Crossplane | Medium | Observability | AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events | Documentation |
| CloudFront Without WAF 6d19ce0f-b3d8-4128-ac3d-1064e0f00494 |
Crossplane | Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
| Cloud Storage Bucket Logging Not Enabled 6c2d627c-de0f-45fb-b33d-dad9bffbb421 |
Crossplane | High | Observability | Cloud storage bucket should have logging enabled | Documentation |
| Google Container Node Pool Auto Repair Disabled b4f65d13-a609-4dc1-af7c-63d2e08bffe9 |
Crossplane | Medium | Insecure Configurations | Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. | Documentation |
| Passwords And Secrets a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 |
Common | High | Secret Management | Query to find passwords and secrets in infrastructure code. | Documentation |