Ansible
Ansible Queries List¶
This page contains all queries from Ansible.
AZURE¶
Bellow are listed queries related with Ansible AZURE:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Admin User Enabled For Container Registry 29f35127-98e6-43af-8ec1-201b79f99604 |
High | Access Control | Admin user is enabled for Container Registry | Documentation |
| Public Storage Account 35e2f133-a395-40de-a79d-b260d973d1bd |
High | Access Control | Storage Account should not be public to grant the principle of least privileges | Documentation |
| Storage Container Is Publicly Accessible 4d3817db-dd35-4de4-a80d-3867157e7f7f |
High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage | Documentation |
| Storage Account Not Forcing HTTPS 2c99a474-2a3c-4c17-8294-53ffa5ed0522 |
High | Encryption | Storage Accounts should enforce the use of HTTPS | Documentation |
| MySQL SSL Connection Disabled 2a901825-0f3b-4655-a0fe-e0470e50f8e6 |
High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled | Documentation |
| SSL Enforce Disabled 961ce567-a16d-4d7d-9027-f0ec2628a555 |
High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' | Documentation |
| Azure Container Registry With No Locks 581dae78-307d-45d5-aae4-fe2b0db267a5 |
High | Insecure Configurations | Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined | Documentation |
| Web App Accepting Traffic Other Than HTTPS eb8c2560-8bee-4248-9d0d-e80c8641dd91 |
High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. | Documentation |
| VM Not Attached To Network 1e5f5307-3e01-438d-8da6-985307ed25ce |
High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine | Documentation |
| AD Admin Not Configured For SQL Server b176e927-bbe2-44a6-a9c3-041417137e5f |
High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server | Documentation |
| CosmosDB Account IP Range Filter Not Set e8c80448-31d8-4755-85fc-6dbab69c2717 |
High | Networking and Firewall | The IP range filter should be defined to secure the data stored | Documentation |
| Trusted Microsoft Services Not Enabled 1bc398a8-d274-47de-a4c8-6ac867b353de |
High | Networking and Firewall | Trusted Microsoft Services should be enabled for Storage Account access | Documentation |
| Sensitive Port Is Exposed To Entire Network 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| SQLServer Ingress From Any IP f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 |
High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. | Documentation |
| Redis Publicly Accessible 0632d0db-9190-450a-8bb3-c283bffea445 |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources | Documentation |
| Redis Entirely Accessible 0d0c12b9-edce-4510-9065-13f6a758750c |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet | Documentation |
| AKS RBAC Disabled 149fa56c-4404-4f90-9e25-d34b676d5b39 |
Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled | Documentation |
| Role Definition Allows Custom Role Creation 5c80db8e-03f5-43a2-b4af-1f3f87018157 |
Medium | Access Control | Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) | Documentation |
| Key Vault Soft Delete Is Disabled 881696a8-68c5-4073-85bc-7c38a3deb854 |
Medium | Backup | Make sure Soft Delete is enabled for Key Vault | Documentation |
| SQL Server Predictable Admin Account Name 663062e9-473d-4e87-99bc-6f3684b3df40 |
Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict | Documentation |
| SQL Server Predictable Active Directory Account Name 530e8291-2f22-4bab-b7ea-306f1bc2a308 |
Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict | Documentation |
| Cosmos DB Account Without Tags 23a4dc83-4959-4d99-8056-8e051a82bc1e |
Medium | Build Process | Cosmos DB Account must have a mapping of tags. | Documentation |
| Storage Account Not Using Latest TLS Encryption Version c62746cf-92d5-4649-9acf-7d48d086f2ee |
Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption | Documentation |
| Security Group is Not Configured da4f2739-174f-4cdd-b9ef-dc3f14b5931f |
Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty | Documentation |
| AKS Network Policy Misconfigured 8c3bedf1-c570-4c3b-b414-d068cd39a00c |
Medium | Insecure Configurations | Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined | Documentation |
| Redis Cache Allows Non SSL Connections 869e7fb4-30f0-4bdb-b360-ad548f337f2f |
Medium | Insecure Configurations | Redis Cache resources should not allow non-SSL connections | Documentation |
| Default Network Access is Allowed 974e6fe7-63fd-4fa4-aa72-77b21a4a959d |
Medium | Insecure Defaults | Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' | Documentation |
| Unrestricted SQL Server Access 3f23c96c-f9f5-488d-9b17-605b8da5842f |
Medium | Networking and Firewall | Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' | Documentation |
| WAF Is Disabled For Azure Application Gateway 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 |
Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. | Documentation |
| Firewall Rule Allows Too Many Hosts To Access Redis Cache 69f72007-502e-457b-bd2d-5012e31ac049 |
Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache. | Documentation |
| PostgreSQL Log Connections Not Set 7b47138f-ec0e-47dc-8516-e7728fe3cc17 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' | Documentation |
| PostgreSQL Log Duration Not Set 729ebb15-8060-40f7-9017-cb72676a5487 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' | Documentation |
| AKS Monitoring Logging Disabled d5e83b32-56dd-4247-8c2e-074f43b38a5e |
Medium | Observability | Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring | Documentation |
| Log Retention Is Not Set 0461b4fd-21ef-4687-929e-484ee4796785 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' | Documentation |
| Monitoring Log Profile Without All Activities 89f84a1e-75f8-47c5-83b5-bee8e2de4168 |
Medium | Observability | Monitoring log profile captures all the activities (Action, Write, Delete) | Documentation |
| PostgreSQL Log Checkpoints Disabled 7ab33ac0-e4a3-418f-a673-50da4e34df21 |
Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' | Documentation |
| PostgreSQL Log Disconnections Not Set 054d07b5-941b-4c28-8eef-18989dc62323 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' | Documentation |
| PostgreSQL Server Without Connection Throttling a9becca7-892a-4af7-b9e1-44bf20a4cd9a |
Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server | Documentation |
| Small Activity Log Retention Period 37fafbea-dedb-4e0d-852e-d16ee0589326 |
Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater | Documentation |
| ### AWS | ||||
| Bellow are listed queries related with Ansible AWS: |
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| S3 Bucket Allows List Action From All Principals d395a950-12ce-4314-a742-ac5a785ab44e |
High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. | Documentation |
| SNS Topic is Publicly Accessible 905f4741-f965-45c1-98db-f7a00a0e5c73 |
High | Access Control | SNS Topic Policy should not allow any principal to access | Documentation |
| S3 Bucket With All Permissions 6a6d7e56-c913-4549-b5c5-5221e624d2ec |
High | Access Control | S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. | Documentation |
| IAM Policy Grants Full Permissions b5ed026d-a772-4f07-97f9-664ba0b116f8 |
High | Access Control | IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. | Documentation |
| S3 Bucket Allows Put Action From All Principals a0f1bfe0-741e-473f-b3b2-13e66f856fab |
High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. | Documentation |
| ECS Service Admin Role Is Present 7db727c1-1720-468e-b80e-06697f71e09e |
High | Access Control | ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role | Documentation |
| S3 Bucket Allows Delete Action From All Principals 6fa44721-ef21-41c6-8665-330d59461163 |
High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. | Documentation |
| Authentication Without MFA eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 |
High | Access Control | Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 75480b31-f349-4b9a-861f-bce19588e674 |
High | Access Control | S3 Buckets should not be readable to any authenticated user | Documentation |
| IAM Policies With Full Privileges e401d614-8026-4f4b-9af9-75d1197461ba |
High | Access Control | IAM policies shouldn't allow full administrative privileges (for all resources) | Documentation |
| S3 Bucket ACL Allows Read to All Users a1ef9d2e-4163-40cb-bd92-04f0d602a15d |
High | Access Control | S3 Buckets should not be readable to all users | Documentation |
| S3 Bucket Allows Get Action From All Principals 53bce6a8-5492-4b1b-81cf-664385f0c4bf |
High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. | Documentation |
| S3 Bucket Access to Any Principal 3ab1f27d-52cc-4943-af1d-43c1939e739a |
High | Access Control | Checks if the S3 bucket is accessible for all users | Documentation |
| SQS Queue Exposed 86b0efa7-4901-4edd-a37a-c034bec6645a |
High | Access Control | Checks if the SQS Queue is exposed | Documentation |
| User Data Shell Script Is Encoded 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 |
High | Encryption | User Data Shell Script must be encoded | Documentation |
| S3 Bucket Without Server-side-encryption 594f54e7-f744-45ab-93e4-c6dbaf6cd571 |
High | Encryption | AWS S3 Storage should be protected with SSE (Server-Side Encryption) | Documentation |
| ECS Task Definition Container With Plaintext Password 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 |
High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
| IAM Database Auth Not Enabled 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 |
High | Encryption | IAM Database Auth Enabled should be configured to true when using compatible engine and version | Documentation |
| User Data Contains Encoded Private Key c09f4d3e-27d2-4d46-9453-abbe9687a64e |
High | Encryption | User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily | Documentation |
| Redis Not Compliant 9f34885e-c08f-4d13-a7d1-cf190c5bd268 |
High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements | Documentation |
| Secure Ciphers Disabled 218413a0-c716-4b94-9e08-0bb70d854709 |
High | Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
| Viewer Protocol Policy Allows HTTP a6d27cf7-61dc-4bde-ae08-3b353b609f76 |
High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
| ELB Using Insecure Protocols 730a5951-2760-407a-b032-dd629b55c23a |
High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. | Documentation |
| CA Certificate Identifier Is Outdated 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce |
High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. | Documentation |
| Redshift Not Encrypted 6a647814-def5-4b85-88f5-897c19f509cd |
High | Encryption | AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) | Documentation |
| S3 Bucket SSE Disabled 309edc5b-5a59-42b4-a357-d4d098311fd4 |
High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
| EFS Without KMS bd77554e-f138-40c5-91b2-2a09f878608e |
High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys | Documentation |
| ELB Using Weak Ciphers 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. | Documentation |
| AMI Not Encrypted 97707503-a22c-4cd7-b7c0-f088fa7cf830 |
High | Encryption | AWS AMI Encryption is not enabled | Documentation |
| DB Instance Storage Not Encrypted 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff |
High | Encryption | AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. | Documentation |
| Kinesis Not Encrypted With KMS f2ea6481-1d31-4d40-946a-520dc6321dd7 |
High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS | Documentation |
| Launch Configuration Is Not Encrypted 66477506-6abb-49ed-803d-3fa174cd5f6a |
High | Encryption | AWS Autoscaling Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume | Documentation |
| EFS Not Encrypted 727c4fd4-d604-4df6-a179-7713d3c85e20 |
High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
| EC2 Group Has Public Interface 5330b503-3319-44ff-9b1c-00ee873f728a |
High | Insecure Configurations | The CIDR IP should not be a public interface | Documentation |
| DB Instance Publicly Accessible c09e3ca5-f08a-4717-9c87-3919c5e6d209 |
High | Insecure Configurations | RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 d0c13053-d2c8-44a6-95da-d592996e9e67 |
High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
| ECS Task Definition Network Mode Not Recommended 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f |
High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
| KMS Key With Vulnerable Policy 5b9d237a-57d5-4177-be0e-71434b0fef47 |
High | Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
| S3 Bucket with Unsecured CORS Rule 3505094c-f77c-4ba0-95da-f83db712f86c |
High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure | Documentation |
| Redshift Publicly Accessible 5c6b727b-1382-4629-8ba9-abd1365e5610 |
High | Insecure Configurations | AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) | Documentation |
| Batch Job Definition With Privileged Container Properties defe5b18-978d-4722-9325-4d1975d3699f |
High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties | Documentation |
| Root Account Has Active Access Keys e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 |
High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
| Vulnerable Default SSL Certificate fb8f8929-afeb-4c46-99f0-a6cf410f7df4 |
High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. | Documentation |
| Unrestricted Security Group Ingress 83c5fa4c-e098-48fc-84ee-0a537287ddd2 |
High | Networking and Firewall | Security groups allow ingress from 0.0.0.0/0 | Documentation |
| EC2 Instance Has Public IP a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 |
High | Networking and Firewall | EC2 Instance should not have a public IP address. | Documentation |
| DB Security Group With Public Scope 0956aedf-6a7a-478b-ab56-63e2b19923ad |
High | Networking and Firewall | The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it | Documentation |
| Default Security Groups With Unrestricted Traffic 8010e17a-00e9-4635-a692-90d6bcec68bd |
High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
| Route53 Record Undefined 445dce51-7e53-4e50-80ef-7f94f14169e4 |
High | Networking and Firewall | Route53 Record should have a list of records | Documentation |
| HTTP Port Open To Internet a14ad534-acbe-4a8e-9404-2f7e1045646e |
High | Networking and Firewall | The HTTP port is open to the internet in a Security Group | Documentation |
| Security Group Ingress Not Restricted ea6bc7a6-d696-4dcf-a788-17fa03c17c81 |
High | Networking and Firewall | AWS Security Group should restrict ingress access | Documentation |
| DB Security Group Open To Large Scope ea0ed1c7-9aef-4464-b7c7-94c762da3640 |
High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. | Documentation |
| Unknown Port Exposed To Internet 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b |
High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
| ALB Listening on HTTP f81d63d2-c5d7-43a4-a5b5-66717a41c895 |
High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
| RDS Associated with Public Subnet 16732649-4ff6-4cd2-8746-e72c13fae4b8 |
High | Networking and Firewall | RDS should not run in public subnet | Documentation |
| Security Group With Unrestricted Access To SSH 57ced4b9-6ba4-487b-8843-b65562b90c77 |
High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
| Remote Desktop Port Open To Internet eda7301d-1f3e-47cf-8d4e-976debc64341 |
High | Networking and Firewall | The Remote Desktop port is open to the internet in a Security Group | Documentation |
| Public Port Wide 71ea648a-d31a-4b5a-a589-5674243f1c33 |
High | Networking and Firewall | AWS Security Group should not have public port wide | Documentation |
| Configuration Aggregator to All Regions Disabled a2fdf451-89dd-451e-af92-bf6c0f4bab96 |
High | Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
| CloudTrail Logging Disabled d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 |
High | Observability | Checks if logging is enabled for CloudTrail. | Documentation |
| CMK Rotation Disabled af96d737-0818-4162-8c41-40d969bd65d1 |
High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. | Documentation |
| ECR Repository Is Publicly Accessible fb5a5df7-6d74-4243-ab82-ff779a958bfd |
Medium | Access Control | Amazon ECR image repositories shouldn't have public access | Documentation |
| S3 Bucket With Public Access c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 |
Medium | Access Control | S3 Bucket allows public access | Documentation |
| SQS Policy Allows All Actions ed9b3beb-92cf-44d9-a9d2-171eeba569d4 |
Medium | Access Control | SQS policy allows ALL (*) actions | Documentation |
| API Gateway Without Configured Authorizer b16cdb37-ce15-4ab2-8401-d42b05d123fc |
Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer | Documentation |
| SQS Policy With Public Access d994585f-defb-4b51-b6d2-c70f020ceb10 |
Medium | Access Control | Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue | Documentation |
| Public Lambda via API Gateway 5e92d816-2177-4083-85b4-f61b4f7176d9 |
Medium | Access Control | Allowing to run lambda function using public API Gateway | Documentation |
| IAM Access Key Is Exposed 7f79f858-fbe8-4186-8a2c-dfd0d958a40f |
Medium | Access Control | Check if IAM Access Key is active for some user besides 'root' | Documentation |
| Certificate Has Expired 5a443297-19d4-4381-9e5b-24faf947ec22 |
Medium | Access Control | Expired SSL/TLS certificates should be removed | Documentation |
| Lambda Permission Principal Is Wildcard 1d972c56-8ec2-48c1-a578-887adb09c57a |
Medium | Access Control | Lambda Permission Principal should not contain a wildcard. | Documentation |
| AMI Shared With Multiple Accounts a19b2942-142e-4e2b-93b7-6cf6a6c8d90f |
Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image | Documentation |
| SES Policy With Allowed IAM Actions 8ed0bfce-f780-46d4-b086-21c3628f09ad |
Medium | Access Control | SES policy should not allow IAM actions to all principals | Documentation |
| IAM Policies Attached To User eafe4bc3-1042-4f88-b988-1939e64bf060 |
Medium | Access Control | IAM policies should be attached only to groups or roles | Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA af167837-9636-4086-b815-c239186b9dda |
Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access | Documentation |
| CMK Is Unusable 133fee21-37ef-45df-a563-4d07edc169f4 |
Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. | Documentation |
| Auto Scaling Group With No Associated ELB 050f085f-a8db-4072-9010-2cca235cc02f |
Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. | Documentation |
| ECS Service Without Running Tasks f5c45127-1d28-4b49-a692-0b97da1c3a84 |
Medium | Availability | ECS Service should have at least 1 task running | Documentation |
| Stack Retention Disabled 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 |
Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
| RDS With Backup Disabled e69890e6-fce5-461d-98ad-cb98318dfc96 |
Medium | Backup | Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup | Documentation |
| Misconfigured Password Policy Expiration 3f2cf811-88fa-4eda-be45-7a191a18aba9 |
Medium | Best Practices | No password expiration policy | Documentation |
| IAM Password Without Lowercase Letter 8e3063f4-b511-45c3-b030-f3b0c9131951 |
Medium | Best Practices | IAM Password should have at least one lowercase letter | Documentation |
| IAM Password Without Number 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 |
Medium | Best Practices | IAM user resource Login Profile Password should have at least one number | Documentation |
| Password Without Reuse Prevention 6f5f5444-1422-495f-81ef-24cefd61ed2c |
Medium | Best Practices | Password policy password_reuse_prevention doesn't exist or is equal to 0 |
Documentation |
| IAM Password Without Uppercase Letter 83957b81-39c1-4191-8e12-671d2ce14354 |
Medium | Best Practices | IAM password should have at least one uppercase letter | Documentation |
| IAM Password Without Minimum Length 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d |
Medium | Best Practices | IAM password should have the required minimum length | Documentation |
| Stack Without Template 32d31f1f-0f83-4721-b7ec-1e6948c60145 |
Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body | Documentation |
| CodeBuild Not Encrypted a1423864-2fbc-4f46-bfe1-fbbf125c71c9 |
Medium | Encryption | CodeBuild Project should be encrypted | Documentation |
| Memcached Disabled 2d55ef88-b616-4890-b822-47f280763e89 |
Medium | Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
| EBS Volume Encryption Disabled 4b6012e7-7176-46e4-8108-e441785eae57 |
Medium | Encryption | EBS volumes should be encrypted | Documentation |
| Config Rule For Encrypted Volumes Disabled 7674a686-e4b1-4a95-83d4-1fd53c623d84 |
Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
| SQS With SSE Disabled e1e7b278-2a8b-49bd-a26e-66a7f70b17eb |
Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) | Documentation |
| ECR Image Tag Not Immutable 60bfbb8a-c72f-467f-a6dd-a46b7d612789 |
Medium | Insecure Configurations | ECR should have an image tag be immutable. This prevents image tags from being overwritten. | Documentation |
| Lambda Function Without Tags 265d9725-2fb8-42a2-bc57-3279c5db82d5 |
Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. | Documentation |
| AWS Password Policy With Unchangeable Passwords e28ceb92-d588-4166-aac5-766c8f5b7472 |
Medium | Insecure Configurations | Unchangeable passwords in AWS password policy | Documentation |
| API Gateway Without SSL Certificate b47b98ab-e481-4a82-8bb1-1ab39fd36e33 |
Medium | Insecure Configurations | SSL Client Certificate should be enabled | Documentation |
| Certificate RSA Key Bytes Lower Than 256 d5ec2080-340a-4259-b885-f833c4ea6a31 |
Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes | Documentation |
| Instance With No VPC 61d1a2d0-4db8-405a-913d-5d2ce49dff6f |
Medium | Insecure Configurations | EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | Documentation |
| API Gateway Endpoint Config is Not Private 559439b2-3e9c-4739-ac46-17e3b24ec215 |
Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet | Documentation |
| API Gateway without WAF f5f38943-664b-4acc-ab11-f292fa10ed0b |
Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled | Documentation |
| SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 7af1c447-c014-4f05-bd8b-ebe3a15734ac |
Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. | Documentation |
| API Gateway With CloudWatch Logging Disabled 72a931c2-12f5-40d1-93cc-47bff2f7aa2a |
Medium | Observability | AWS CloudWatch Logs for APIs is not enabled | Documentation |
| S3 Bucket Without Versioning 9232306a-f839-40aa-b3ef-b352001da9a5 |
Medium | Observability | S3 bucket should have versioning enabled | Documentation |
| CloudTrail Not Integrated With CloudWatch ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 |
Medium | Observability | CloudTrail should be integrated with CloudWatch | Documentation |
| CloudTrail SNS Topic Name Undefined 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 |
Medium | Observability | Check if SNS topic name is set for CloudTrail | Documentation |
| CloudFront Logging Disabled d31cb911-bf5b-4eb6-9fc3-16780c77c7bd |
Medium | Observability | AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true | Documentation |
| API Gateway X-Ray Disabled 2059155b-27fd-441e-b616-6966c468561f |
Medium | Observability | API Gateway should have X-Ray Tracing enabled | Documentation |
| CloudTrail Multi Region Disabled 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 |
Medium | Observability | CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true | Documentation |
| CloudWatch Without Retention Period Specified e24e18d9-4c2b-4649-b3d0-18c088145e24 |
Medium | Observability | AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events | Documentation |
| Stack Notifications Disabled d39761d7-94ab-45b0-ab5e-27c44e381d58 |
Medium | Observability | AWS CloudFormation should have stack notifications enabled to be notified when an event occurs | Documentation |
| S3 Bucket Logging Disabled c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d |
Medium | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable | Documentation |
| No Stack Policy ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 |
Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions | Documentation |
| Hardcoded AWS Access Key c2f15af3-66a0-4176-a56e-e4711e502e5c |
Medium | Secret Management | AWS Access Key should not be hardcoded | Documentation |
| Hardcoded AWS Access Key In Lambda f34508b9-f574-4330-b42d-88c44cced645 |
Medium | Secret Management | Lambda access/secret keys should not be hardcoded | Documentation |
| IAM Group Without Users f509931b-bbb0-443c-bd9b-10e92ecf2193 |
Low | Access Control | IAM Group should have at least one user associated | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services 12a7a7ce-39d6-49dd-923d-aeb4564eb66c |
Low | Access Control | IAM Policy should not grant 'AssumeRole' permission across all services. | Documentation |
| IAM Role Allows All Principals To Assume babdedcf-d859-43da-9a7b-6d72e661a8fd |
Low | Access Control | IAM role allows all services or principals to assume it | Documentation |
| EC2 Instance Using Default Security Group 8d03993b-8384-419b-a681-d1f55149397c |
Low | Access Control | EC2 instances should not use default security group(s) | Documentation |
| CDN Configuration Is Missing b25398a2-0625-4e61-8e4d-a1bb23905bf6 |
Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. | Documentation |
| Lambda Permission Misconfigured 3ddf3417-424d-420d-8275-0724dc426520 |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
| Automatic Minor Upgrades Disabled 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 |
Low | Best Practices | RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. | Documentation |
| EFS Without Tags b8a9852c-9943-4973-b8d5-77dae9352851 |
Low | Build Process | Amazon Elastic Filesystem should have filesystem tags associated | Documentation |
| CloudTrail Log Files Not Encrypted With KMS f5587077-3f57-4370-9b4e-4eb5b1bac85b |
Low | Encryption | Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail | Documentation |
| RDS Using Default Port 2cb674f6-32f9-40be-97f2-62c0dc38f0d5 |
Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 | Documentation |
| ElastiCache Without VPC 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f |
Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) | Documentation |
| ElastiCache Using Default Port 7cc6c791-5f68-4816-a564-b9b699f9d26e |
Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 | Documentation |
| EC2 Instance Using Default VPC 8833f180-96f1-46f4-9147-849aafa56029 |
Low | Networking and Firewall | EC2 Instances should not be configured under a default VPC network | Documentation |
| CloudFront Without WAF 22c80725-e390-4055-8d14-a872230f6607 |
Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
| Redshift Using Default Port e01de151-a7bd-4db4-b49b-3c4775a5e881 |
Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port | Documentation |
| Lambda Functions Without X-Ray Tracing 71397b34-1d50-4ee1-97cb-c96c34676f74 |
Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' | Documentation |
| CloudTrail Log File Validation Disabled 4d8681a2-3d30-4c89-8070-08acd142748e |
Low | Observability | CloudTrail log file validation should be enabled to determine whether a log file has not been tampered | Documentation |
| EC2 Not EBS Optimized 338b6cab-961d-4998-bb49-e5b6a11c9a5c |
Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance | Documentation |
| ### GCP | ||||
| Bellow are listed queries related with Ansible GCP: |
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| VM With Full Cloud Access bc20bbc6-0697-4568-9a73-85af1dd97bdd |
High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs | Documentation |
| Cloud Storage Anonymous or Publicly Accessible 086031e1-9d4a-4249-acb3-5bfe4c363db2 |
High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' | Documentation |
| BigQuery Dataset Is Public 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 |
High | Access Control | BigQuery dataset is anonymously or publicly accessible | Documentation |
| SQL DB Instance Backup Disabled 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| SQL DB Instance With SSL Disabled d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb |
High | Encryption | Cloud SQL Database Instance should have SLL enabled | Documentation |
| DNSSEC Using RSASHA1 6cf4c3a7-ceb0-4475-8892-3745b84be24a |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm | Documentation |
| IP Aliasing Disabled ed672a9f-fbf0-44d8-a47d-779501b0db05 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. | Documentation |
| Cluster Master Authentication Disabled 9df7f78f-ebe3-432e-ac3b-b67189c15518 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| PostgreSQL Misconfigured Logging Duration Flag aed98a2a-e680-497a-8886-277cea0f4514 |
High | Insecure Configurations | PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' | Documentation |
| Cluster Labels Disabled fbe9b2d0-a2b7-47a1-a534-03775f3013f7 |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined | Documentation |
| Private Cluster Disabled 3b30e3d6-c99b-4318-b38f-b99db74578b5 |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. | Documentation |
| SQL DB Instance Publicly Accessible 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b |
High | Insecure Configurations | Cloud SQL instances should not be publicly accessible. | Documentation |
| Cloud SQL Instance With Contained Database Authentication On 6d34aff3-fdd2-460c-8190-756a3b4969e8 |
High | Insecure Configurations | SQL Instance should not have Contained Database Authentication On | Documentation |
| Network Policy Disabled 98e04ca0-34f5-4c74-8fec-d2e611ce2790 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false | Documentation |
| GKE Legacy Authorization Enabled 300a9964-b086-41f7-9378-b6de3ba1c32b |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. | Documentation |
| Client Certificate Disabled 20180133-a0d0-4745-bfe0-94049fbb12a9 |
High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true | Documentation |
| Cloud SQL Instance With Cross DB Ownership Chaining On 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f |
High | Insecure Configurations | GCP SQL Instance should not have Cross DB Ownership Chaining On | Documentation |
| GKE Basic Authentication Enabled 344bf8ab-9308-462b-a6b2-697432e40ba1 |
High | Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty | Documentation |
| MySQL Instance With Local Infile On a7b520bb-2509-4fb0-be05-bc38f54c7a4c |
High | Insecure Configurations | MySQL Instance should not have Local Infile On | Documentation |
| GKE Master Authorized Networks Disabled d43366c5-80b0-45de-bbe8-2338f4ab0a83 |
High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters | Documentation |
| Compute Instance Is Publicly Accessible 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 |
High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. | Documentation |
| Stackdriver Logging Disabled 19c9e2a0-fc33-4264-bba1-e3682661e8f7 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' | Documentation |
| PostgreSQL Log Connections Disabled d7a5616f-0a3f-4d43-bc2b-29d1a183e317 |
High | Observability | PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' | Documentation |
| Cloud Storage Bucket Versioning Disabled 7814ddda-e758-4a56-8be3-289a81ded929 |
High | Observability | Cloud Storage Bucket should have versioning enabled | Documentation |
| PostgreSQL Logging Of Temporary Files Disabled d6fae5b6-ada9-46c0-8b36-3108a2a2f77b |
High | Observability | PostgreSQL database 'log_temp_files' flag isn't set to '0' | Documentation |
| Stackdriver Monitoring Disabled 20dcd953-a8b8-4892-9026-9afa6d05a525 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' | Documentation |
| Cloud Storage Bucket Logging Not Enabled 507df964-ad97-4035-ab14-94a82eabdfdd |
High | Observability | Cloud storage bucket should have logging enabled | Documentation |
| Node Auto Upgrade Disabled d6e10477-2e19-4bcd-b8a8-19c65b89ccdf |
High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters | Documentation |
| Google Compute SSL Policy Weak Cipher In Use b28bcd2f-c309-490e-ab7c-35fc4023eb26 |
Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
| Disk Encryption Disabled 092bae86-6105-4802-99d2-99cd7e7431f3 |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined | Documentation |
| Cloud DNS Without DNSSEC 80b15fb1-6207-40f4-a803-6915ae619a03 |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
| Shielded VM Disabled 18d3a83d-4414-49dc-90ea-f0387b2856cc |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true | Documentation |
| Using Default Service Account 2775e169-e708-42a9-9305-b58aadd2c4dd |
Medium | Insecure Configurations | Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. | Documentation |
| Google Container Node Pool Auto Repair Disabled d58c6f24-3763-4269-9f5b-86b2569a003b |
Medium | Insecure Configurations | Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. | Documentation |
| OSLogin Is Disabled In VM Instance 66dae697-507b-4aef-be18-eec5bd707f33 |
Medium | Insecure Configurations | VM instance should have OSLogin enabled | Documentation |
| GKE Using Default Service Account dc126833-125a-40fb-905a-ce5f2afde240 |
Medium | Insecure Defaults | Kubernetes Engine Clusters should not be configured to use the default service account | Documentation |
| SSH Access Is Not Restricted b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 |
Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges | Documentation |
| Google Compute Network Using Default Firewall Rule 29b8224a-60e9-4011-8ac2-7916a659841f |
Medium | Networking and Firewall | Google Compute Network should not use default firewall rule | Documentation |
| RDP Access Is Not Restricted 75418eb9-39ec-465f-913c-6f2b6a80dc77 |
Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 | Documentation |
| IP Forwarding Enabled 11bd3554-cd56-4257-8e25-7aaf30cf8f5f |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true | Documentation |
| Serial Ports Are Enabled For VM Instances c6fc6f29-dc04-46b6-99ba-683c01aff350 |
Medium | Networking and Firewall | Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone | Documentation |
| Google Compute Network Using Firewall Rule that Allows All Ports 3602d273-3290-47b2-80fa-720162b1a8af |
Medium | Networking and Firewall | Google Compute Network should not use a firewall rule that allows all ports | Documentation |
| PostgreSQL Misconfigured Log Messages Flag 28a757fc-3d8f-424a-90c0-4233363b2711 |
Medium | Observability | PostgreSQL database 'log_min_messages' flag isn't set to a valid value | Documentation |
| PostgreSQL log_checkpoints Flag Not Set To ON 89afe3f0-4681-4ce3-89ed-896cebd4277c |
Medium | Observability | PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' | Documentation |
| COS Node Image Not Used be41f891-96b1-4b9d-b74f-b922a918c778 |
Medium | Resource Management | The node image should be Container-Optimized OS(COS) | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 099b4411-d11e-4537-a0fc-146b19762a79 |
Medium | Secret Management | VM Instance should block project-wide SSH keys | Documentation |
| High KMS Rotation Period 79f45008-60b3-4a0a-a302-8311fd3701b4 |
Medium | Secret Management | KMS Rotation Period should be greater than 365 days. | Documentation |
| High Google KMS Crypto Key Rotation Period f9b7086b-deb8-4034-9330-d7fd38f1b8de |
Medium | Secret Management | Encryption keys should be changed after 90 days | Documentation |
| Google Compute Network Using Firewall Rule that Allows Port Range 7289eebd-a477-4064-8ad4-3c044bd70b00 |
Low | Networking and Firewall | Google Compute Network should not use a firewall rule that allows port range | Documentation |
| Google Compute Subnetwork with Private Google Access Disabled 6a4080ae-79bd-42f6-a924-8f534c1c018b |
Low | Networking and Firewall | Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes | Documentation |