Skip to content

Ansible

Ansible Queries List

This page contains all queries from Ansible.

AZURE

Bellow are listed queries related with Ansible AZURE:

Query Severity Category Description Help
Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604
High Access Control Admin user is enabled for Container Registry Documentation
Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd
High Access Control Storage Account should not be public to grant the principle of least privileges Documentation
Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f
High Access Control Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage Documentation
Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522
High Encryption Storage Accounts should enforce the use of HTTPS Documentation
MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6
High Encryption Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled Documentation
SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555
High Encryption Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' Documentation
Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5
High Insecure Configurations Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined Documentation
Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91
High Insecure Configurations Web app should only accept HTTPS traffic in Azure Web App Service. Documentation
VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce
High Insecure Configurations No Network Security Group is attached to the Virtual Machine Documentation
AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f
High Insecure Configurations The Active Directory Administrator is not configured for a SQL server Documentation
CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717
High Networking and Firewall The IP range filter should be defined to secure the data stored Documentation
Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de
High Networking and Firewall Trusted Microsoft Services should be enabled for Storage Account access Documentation
Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc
High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol Documentation
SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039
High Networking and Firewall Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. Documentation
Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from other Azure sources Documentation
Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from the Internet Documentation
AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39
Medium Access Control Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled Documentation
Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157
Medium Access Control Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) Documentation
Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854
Medium Backup Make sure Soft Delete is enabled for Key Vault Documentation
SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40
Medium Best Practices Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict Documentation
SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308
Medium Best Practices Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict Documentation
Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e
Medium Build Process Cosmos DB Account must have a mapping of tags. Documentation
Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee
Medium Encryption Ensure Storage Account is using the latest version of TLS encryption Documentation
Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f
Medium Insecure Configurations Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty Documentation
AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c
Medium Insecure Configurations Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined Documentation
Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f
Medium Insecure Configurations Redis Cache resources should not allow non-SSL connections Documentation
Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d
Medium Insecure Defaults Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' Documentation
Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f
Medium Networking and Firewall Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' Documentation
WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255
Medium Networking and Firewall Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049
Medium Networking and Firewall Check if any firewall rule allows too many hosts to access Redis Cache. Documentation
PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' Documentation
PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' Documentation
AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e
Medium Observability Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring Documentation
Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' Documentation
Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168
Medium Observability Monitoring log profile captures all the activities (Action, Write, Delete) Documentation
PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21
Medium Observability Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' Documentation
PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' Documentation
PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a
Medium Observability Ensure that Connection Throttling is set for the PostgreSQL server Documentation
Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326
Medium Observability Ensure that Activity Log Retention is set 365 days or greater Documentation
### AWS
Bellow are listed queries related with Ansible AWS:
Query Severity Category Description Help
S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e
High Access Control S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. Documentation
SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73
High Access Control SNS Topic Policy should not allow any principal to access Documentation
S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec
High Access Control S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. Documentation
IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8
High Access Control IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. Documentation
S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab
High Access Control S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. Documentation
ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e
High Access Control ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role Documentation
S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163
High Access Control S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. Documentation
Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1
High Access Control Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674
High Access Control S3 Buckets should not be readable to any authenticated user Documentation
IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba
High Access Control IAM policies shouldn't allow full administrative privileges (for all resources) Documentation
S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d
High Access Control S3 Buckets should not be readable to all users Documentation
S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf
High Access Control S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. Documentation
S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a
High Access Control Checks if the S3 bucket is accessible for all users Documentation
SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a
High Access Control Checks if the SQS Queue is exposed Documentation
User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89
High Encryption User Data Shell Script must be encoded Documentation
S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571
High Encryption AWS S3 Storage should be protected with SSE (Server-Side Encryption) Documentation
ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892
High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. Documentation
IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4
High Encryption IAM Database Auth Enabled should be configured to true when using compatible engine and version Documentation
User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e
High Encryption User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily Documentation
Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268
High Encryption Check if the redis version is compliant with the necessary AWS PCI DSS requirements Documentation
Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709
High Encryption Check if secure ciphers aren't used in CloudFront Documentation
Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76
High Encryption Checks if the connection between the CloudFront and the origin server is encrypted Documentation
ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a
High Encryption ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. Documentation
CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce
High Encryption The CA certificate Identifier must be 'rds-ca-2019'. Documentation
Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd
High Encryption AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) Documentation
S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4
High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required Documentation
EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e
High Encryption Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys Documentation
ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5
High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. Documentation
AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830
High Encryption AWS AMI Encryption is not enabled Documentation
DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
High Encryption AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. Documentation
Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7
High Encryption AWS Kinesis Streams and metadata should be protected with KMS Documentation
Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a
High Encryption AWS Autoscaling Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume Documentation
EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20
High Encryption Elastic File System (EFS) must be encrypted Documentation
EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a
High Insecure Configurations The CIDR IP should not be a public interface Documentation
DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209
High Insecure Configurations RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). Documentation
CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67
High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 Documentation
ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f
High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations Documentation
KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47
High Insecure Configurations Checks if the policy is vulnerable and needs updating. Documentation
S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c
High Insecure Configurations If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure Documentation
Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610
High Insecure Configurations AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) Documentation
Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f
High Insecure Configurations Batch Job Definition should not have Privileged Container Properties Documentation
Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40
High Insecure Configurations The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. Documentation
Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4
High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. Documentation
Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2
High Networking and Firewall Security groups allow ingress from 0.0.0.0/0 Documentation
EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1
High Networking and Firewall EC2 Instance should not have a public IP address. Documentation
DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad
High Networking and Firewall The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it Documentation
Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd
High Networking and Firewall Check if default security group does not restrict all inbound and outbound traffic. Documentation
Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4
High Networking and Firewall Route53 Record should have a list of records Documentation
HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e
High Networking and Firewall The HTTP port is open to the internet in a Security Group Documentation
Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81
High Networking and Firewall AWS Security Group should restrict ingress access Documentation
DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640
High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. Documentation
Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b
High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet Documentation
ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895
High Networking and Firewall AWS Application Load Balancer (alb) should not listen on HTTP Documentation
RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8
High Networking and Firewall RDS should not run in public subnet Documentation
Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77
High Networking and Firewall 'SSH' (TCP:22) should not be public in AWS Security Group Documentation
Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341
High Networking and Firewall The Remote Desktop port is open to the internet in a Security Group Documentation
Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33
High Networking and Firewall AWS Security Group should not have public port wide Documentation
Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96
High Observability AWS Config Configuration Aggregator All Regions must be set to True Documentation
CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5
High Observability Checks if logging is enabled for CloudTrail. Documentation
CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1
High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. Documentation
ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd
Medium Access Control Amazon ECR image repositories shouldn't have public access Documentation
S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9
Medium Access Control S3 Bucket allows public access Documentation
SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4
Medium Access Control SQS policy allows ALL (*) actions Documentation
API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc
Medium Access Control API Gateway REST API should have an API Gateway Authorizer Documentation
SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10
Medium Access Control Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue Documentation
Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9
Medium Access Control Allowing to run lambda function using public API Gateway Documentation
IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f
Medium Access Control Check if IAM Access Key is active for some user besides 'root' Documentation
Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22
Medium Access Control Expired SSL/TLS certificates should be removed Documentation
Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a
Medium Access Control Lambda Permission Principal should not contain a wildcard. Documentation
AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f
Medium Access Control Limits access to AWS AMIs by checking if more than one account is using the same image Documentation
SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad
Medium Access Control SES policy should not allow IAM actions to all principals Documentation
IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060
Medium Access Control IAM policies should be attached only to groups or roles Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda
Medium Access Control Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access Documentation
CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4
Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. Documentation
Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f
Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. Documentation
ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84
Medium Availability ECS Service should have at least 1 task running Documentation
Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7
Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction Documentation
RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96
Medium Backup Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup Documentation
Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9
Medium Best Practices No password expiration policy Documentation
IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951
Medium Best Practices IAM Password should have at least one lowercase letter Documentation
IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8
Medium Best Practices IAM user resource Login Profile Password should have at least one number Documentation
Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c
Medium Best Practices Password policy password_reuse_prevention doesn't exist or is equal to 0 Documentation
IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354
Medium Best Practices IAM password should have at least one uppercase letter Documentation
IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d
Medium Best Practices IAM password should have the required minimum length Documentation
Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145
Medium Build Process AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body Documentation
CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9
Medium Encryption CodeBuild Project should be encrypted Documentation
Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89
Medium Encryption Check if the Memcached is disabled on the ElastiCache Documentation
EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57
Medium Encryption EBS volumes should be encrypted Documentation
Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84
Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. Documentation
SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb
Medium Encryption Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) Documentation
ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789
Medium Insecure Configurations ECR should have an image tag be immutable. This prevents image tags from being overwritten. Documentation
Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5
Medium Insecure Configurations AWS Lambda Functions must have associated tags. Documentation
AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472
Medium Insecure Configurations Unchangeable passwords in AWS password policy Documentation
API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33
Medium Insecure Configurations SSL Client Certificate should be enabled Documentation
Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31
Medium Insecure Configurations The certificate should use a RSA key with a length equal to or higher than 256 bytes Documentation
Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f
Medium Insecure Configurations EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. Documentation
API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215
Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet Documentation
API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b
Medium Networking and Firewall API Gateway should have WAF (Web Application Firewall) enabled Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac
Medium Networking and Firewall Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. Documentation
API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a
Medium Observability AWS CloudWatch Logs for APIs is not enabled Documentation
S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5
Medium Observability S3 bucket should have versioning enabled Documentation
CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3
Medium Observability CloudTrail should be integrated with CloudWatch Documentation
CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92
Medium Observability Check if SNS topic name is set for CloudTrail Documentation
CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd
Medium Observability AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true Documentation
API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f
Medium Observability API Gateway should have X-Ray Tracing enabled Documentation
CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98
Medium Observability CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true Documentation
CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24
Medium Observability AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events Documentation
Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58
Medium Observability AWS CloudFormation should have stack notifications enabled to be notified when an event occurs Documentation
S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d
Medium Observability Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable Documentation
No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9
Medium Resource Management AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions Documentation
Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c
Medium Secret Management AWS Access Key should not be hardcoded Documentation
Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645
Medium Secret Management Lambda access/secret keys should not be hardcoded Documentation
IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193
Low Access Control IAM Group should have at least one user associated Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c
Low Access Control IAM Policy should not grant 'AssumeRole' permission across all services. Documentation
IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd
Low Access Control IAM role allows all services or principals to assume it Documentation
EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c
Low Access Control EC2 instances should not use default security group(s) Documentation
CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6
Low Best Practices Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. Documentation
Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520
Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' Documentation
Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94
Low Best Practices RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. Documentation
EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851
Low Build Process Amazon Elastic Filesystem should have filesystem tags associated Documentation
CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b
Low Encryption Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail Documentation
RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5
Low Networking and Firewall RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 Documentation
ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f
Low Networking and Firewall ElastiCache should be launched in a Virtual Private Cloud (VPC) Documentation
ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e
Low Networking and Firewall ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 Documentation
EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029
Low Networking and Firewall EC2 Instances should not be configured under a default VPC network Documentation
CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607
Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service Documentation
Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881
Low Networking and Firewall Redshift should not use the default port (5439) because an attacker can easily guess the port Documentation
Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74
Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' Documentation
CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e
Low Observability CloudTrail log file validation should be enabled to determine whether a log file has not been tampered Documentation
EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c
Info Best Practices It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance Documentation
### GCP
Bellow are listed queries related with Ansible GCP:
Query Severity Category Description Help
VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd
High Access Control A VM instance is configured to use the default service account with full access to all Cloud APIs Documentation
Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2
High Access Control Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' Documentation
BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2
High Access Control BigQuery dataset is anonymously or publicly accessible Documentation
SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8
High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances Documentation
SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb
High Encryption Cloud SQL Database Instance should have SLL enabled Documentation
DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a
High Encryption DNSSEC should not use the RSASHA1 algorithm Documentation
IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05
High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. Documentation
Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518
High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty Documentation
PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514
High Insecure Configurations PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' Documentation
Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7
High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined Documentation
Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5
High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. Documentation
SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b
High Insecure Configurations Cloud SQL instances should not be publicly accessible. Documentation
Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8
High Insecure Configurations SQL Instance should not have Contained Database Authentication On Documentation
Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790
High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false Documentation
GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b
High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. Documentation
Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9
High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true Documentation
Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f
High Insecure Configurations GCP SQL Instance should not have Cross DB Ownership Chaining On Documentation
GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1
High Insecure Configurations GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty Documentation
MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c
High Insecure Configurations MySQL Instance should not have Local Infile On Documentation
GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83
High Networking and Firewall Master authorized networks must be enabled in GKE clusters Documentation
Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82
High Networking and Firewall Compute instances shouldn't be accessible from the Internet. Documentation
Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7
High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' Documentation
PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317
High Observability PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' Documentation
Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929
High Observability Cloud Storage Bucket should have versioning enabled Documentation
PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b
High Observability PostgreSQL database 'log_temp_files' flag isn't set to '0' Documentation
Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525
High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' Documentation
Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd
High Observability Cloud storage bucket should have logging enabled Documentation
Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf
High Resource Management Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters Documentation
Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26
Medium Encryption This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers Documentation
Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3
Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined Documentation
Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03
Medium Insecure Configurations DNSSEC must be enabled for Cloud DNS Documentation
Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc
Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true Documentation
Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd
Medium Insecure Configurations Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. Documentation
Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b
Medium Insecure Configurations Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. Documentation
OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33
Medium Insecure Configurations VM instance should have OSLogin enabled Documentation
GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240
Medium Insecure Defaults Kubernetes Engine Clusters should not be configured to use the default service account Documentation
SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016
Medium Networking and Firewall Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges Documentation
Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f
Medium Networking and Firewall Google Compute Network should not use default firewall rule Documentation
RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77
Medium Networking and Firewall Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 Documentation
IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f
Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true Documentation
Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350
Medium Networking and Firewall Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone Documentation
Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af
Medium Networking and Firewall Google Compute Network should not use a firewall rule that allows all ports Documentation
PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711
Medium Observability PostgreSQL database 'log_min_messages' flag isn't set to a valid value Documentation
PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c
Medium Observability PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' Documentation
COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778
Medium Resource Management The node image should be Container-Optimized OS(COS) Documentation
Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79
Medium Secret Management VM Instance should block project-wide SSH keys Documentation
High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4
Medium Secret Management KMS Rotation Period should be greater than 365 days. Documentation
High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de
Medium Secret Management Encryption keys should be changed after 90 days Documentation
Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00
Low Networking and Firewall Google Compute Network should not use a firewall rule that allows port range Documentation
Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b
Low Networking and Firewall Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes Documentation