Skip to content

Terraform

Terraform Queries List

This page contains all queries from Terraform.

AZURE

Bellow are listed queries related with Terraform AZURE:

Query Severity Category Description Help
Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf
High Access Control Role Assignment should limit guest user permissions Documentation
Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51
High Access Control Admin user is enabled for Container Registry Documentation
Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790
High Access Control There is a role assignment for guest user Documentation
Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f
High Access Control Azure Function App authentication settings should be enabled Documentation
Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198
High Access Control Storage Account should not be public to grant the principle of least privileges Documentation
Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299
High Access Control Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage Documentation
Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58
High Backup Make sure that on PostgreSQL Geo Redundant Backups is enabled Documentation
Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2
High Encryption Storage Accounts should enforce the use of HTTPS Documentation
App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643
High Encryption Ensure App Service is using the latest version of TLS encryption Documentation
Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6
High Encryption Ensure Function App is using the latest version of TLS encryption Documentation
MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f
High Encryption Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled Documentation
SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e
High Encryption Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' Documentation
Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb
High Insecure Configurations Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' Documentation
App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8
High Insecure Configurations Azure App Service should only enforce FTPS when 'ftps_state' is enabled Documentation
Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c
High Insecure Configurations Check if enable field in the resource azurerm_network_watcher_flow_log is false. Documentation
Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3
High Insecure Configurations Azure App Service client certificate should be enabled Documentation
Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe
High Insecure Configurations Web app should only accept HTTPS traffic in Azure Web App Service. Documentation
Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa
High Insecure Configurations Redis Cache is not configured to be updated regularly with security and operational updates Documentation
AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89
High Insecure Configurations Azure Kubernetes Service (AKS) API should not be exposed to the internet Documentation
Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df
High Insecure Configurations Azure Function App should only enforce FTPS when 'ftps_state' is enabled Documentation
VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033
High Insecure Configurations No Network Security Group is attached to the Virtual Machine Documentation
AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b
High Insecure Configurations The Active Directory Administrator is not configured for a SQL server Documentation
CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7
High Networking and Firewall The IP range filter should be defined to secure the data stored Documentation
Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f
High Networking and Firewall Trusted Microsoft Services should be enabled for Storage Account access Documentation
Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619
High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol Documentation
SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8
High Networking and Firewall Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. Documentation
Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from other Azure sources Documentation
MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507
High Networking and Firewall MSSQL Server public network access should be disabled Documentation
MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b
High Networking and Firewall MySQL Server public access should be disabled Documentation
Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from the Internet Documentation
SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24
High Networking and Firewall Port 22 (SSH) is exposed to the internet Documentation
RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c
High Networking and Firewall Port 3389 (Remote Desktop) is exposed to the internet Documentation
Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190
High Observability Ensure that logging for Azure KeyVault is 'Enabled' Documentation
SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a
High Resource Management Ensure that 'Threat Detection' is enabled for Azure SQL Database Documentation
App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b
High Resource Management Azure App Service should have managed identity enabled Documentation
PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332
High Resource Management PostgreSQL Server Threat Detection Policy should be enabled Documentation
Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc
High Secret Management Make sure that for all keys the expiration date is set Documentation
Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f
High Secret Management Make sure that for all secrets the expiration date is set Documentation
Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3
Medium Access Control Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). Documentation
AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f
Medium Access Control Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled Documentation
Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb
Medium Access Control Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) Documentation
Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e
Medium Access Control Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). Documentation
Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a
Medium Availability Virtual Network should have DDoS Protection Plan enabled Documentation
SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f
Medium Best Practices Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict Documentation
SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450
Medium Best Practices Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict Documentation
Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3
Medium Best Practices Security Contact Email should be defined Documentation
Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0
Medium Build Process Cosmos DB Account must have a mapping of tags. Documentation
AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa
Medium Encryption Azure Container Service (AKS) should use Disk Encryption Set ID Documentation
Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024
Medium Encryption Ensure that the encryption is active on the disk Documentation
Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7
Medium Encryption Ensure Storage Account is using the latest version of TLS encryption Documentation
Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844
Medium Insecure Configurations Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty Documentation
Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e
Medium Insecure Configurations Make sure that the 'Standard' pricing tiers were selected. Documentation
Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d
Medium Insecure Configurations Azure Function App should have 'client_cert_mode' set to required Documentation
Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759
Medium Insecure Configurations Azure Function App should have managed identity enabled Documentation
Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4
Medium Insecure Configurations Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches Documentation
AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef
Medium Insecure Configurations Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined Documentation
Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58
Medium Insecure Configurations Redis Cache resources should not allow non-SSL connections Documentation
Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639
Medium Insecure Defaults Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' Documentation
Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea
Medium Insecure Defaults Default Azure Storage Account network access should be set to Deny Documentation
Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5
Medium Networking and Firewall Network Interfaces IP Forwarding should be disabled Documentation
Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279
Medium Networking and Firewall Public Network Access should be disabled for Azure Cognitive Search Documentation
Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b
Medium Networking and Firewall Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) Documentation
Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28
Medium Networking and Firewall Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. Documentation
Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e
Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol Documentation
WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72
Medium Networking and Firewall Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. Documentation
MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195
Medium Networking and Firewall MariaDB Server Public Network Access should be disabled Documentation
Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082
Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb
Medium Networking and Firewall Check if any firewall rule allows too many hosts to access Redis Cache Documentation
Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc
Medium Observability Make sure for SQL Servers that Auditing Retention is greater than 90 days Documentation
PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' Documentation
Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409
Medium Observability Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact Documentation
PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' Documentation
MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92
Medium Observability Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' Documentation
Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606
Medium Observability Check if PostgreSQL Database Server retains logs for less than 3 Days Documentation
Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea
Medium Observability Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days Documentation
SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf
Medium Observability Make sure that for SQL Servers, 'Auditing' is set to 'On' Documentation
Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' Documentation
PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9
Medium Observability Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' Documentation
PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' Documentation
PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4
Medium Observability Ensure that Connection Throttling is set for the PostgreSQL server Documentation
Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918
Medium Observability Ensure that Activity Log Retention is set 365 days or greater Documentation
Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7
Low Access Control Azure Active Directory must be used for authentication for Service Fabric Documentation
MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1
Low Backup MariaDB Server Geo-redundant Backup should be enabled Documentation
App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae
Low Best Practices Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. Documentation
Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef
Low Best Practices Key Vault Secrets should have set Content Type Documentation
AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492
Low Best Practices Azure Container Service (AKS) should use Azure Policies Add-On Documentation
App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a
Low Best Practices Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. Documentation
PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8
Low Encryption PostgreSQL Server Infrastructure Encryption should be enabled Documentation
Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0
Low Insecure Configurations Function App should have 'http2_enabled' enabled Documentation
Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db
Low Insecure Configurations Check if the Kubernetes Dashboard is enabled. Documentation
App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071
Low Insecure Configurations App Service should have 'http2_enabled' enabled Documentation
Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961
Low Networking and Firewall Azure Front Door WAF should be enabled Documentation
App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3
Info Access Control Azure App Service authentication settings should be enabled Documentation
SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519
Info Best Practices SQL Server alert email should be enabled Documentation
### KUBERNETES
Bellow are listed queries related with Terraform KUBERNETES:
Query Severity Category Description Help
Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05
High Insecure Configurations Limit capabilities for a Pod Security Policy Documentation
Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03
High Insecure Configurations A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. Documentation
Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e
High Insecure Configurations Check if Tiller is deployed. Documentation
NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def
High Insecure Configurations Containers should drop 'ALL' or at least 'NET_RAW' capabilities Documentation
Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c
High Insecure Configurations Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process Documentation
PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b
High Insecure Configurations Check if Pod Security Policies allow containers to share the host network namespace. Documentation
Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4
High Insecure Configurations Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false Documentation
Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f
High Insecure Defaults No role nor cluster role should bind to a default service account Documentation
Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521
Medium Access Control A non kube-system workload should not have hostPath mounted Documentation
RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63
Medium Access Control Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys Documentation
Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba
Medium Access Control The permission to create pods in a cluster should be restricted because it allows privilege escalation. Documentation
Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1
Medium Availability Check if Readiness Probe is not configured. Documentation
Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38
Medium Best Practices Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee
Medium Build Process Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' Documentation
Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451
Medium Insecure Configurations The default namespace should not be used Documentation
Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015
Medium Insecure Configurations Workload is mounting a volume with sensitive OS Directory Documentation
PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad
Medium Insecure Configurations PodSecurityPolicy should not have added capabilities Documentation
Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9
Medium Insecure Configurations Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks Documentation
Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c
Medium Insecure Configurations Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls Documentation
NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556
Medium Insecure Configurations Containers need to have NET_RAW or All as drop capabilities Documentation
PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9
Medium Insecure Configurations Do not allow pod to request execution as privileged. Documentation
Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c
Medium Insecure Configurations Minimize the admission of containers wishing to share the host process ID namespace Documentation
PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce
Medium Insecure Configurations Pod Security Policy allows containers to share the host IPC namespace Documentation
Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa
Medium Insecure Configurations Kubernetes container should have resource limitations defined such as CPU and memory Documentation
Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28
Medium Insecure Configurations Containers should not have extra capabilities allowed Documentation
Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724
Medium Insecure Configurations Containers should not have CAP_SYS_ADMIN Linux capability Documentation
Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d
Medium Insecure Configurations Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. Documentation
Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a
Medium Insecure Configurations Default service accounts should not be actively used Documentation
PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef
Medium Insecure Configurations PodSecurityPolicy should not allow privilege escalation Documentation
Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a
Medium Insecure Defaults Service Account Tokens are automatically mounted even if not necessary Documentation
Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72
Medium Insecure Defaults A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. Documentation
Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf
Medium Networking and Firewall Check if any network policy is not targeting any pod. Documentation
Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed
Medium Networking and Firewall Service has an external load balancer, which may cause accessibility from other networks and the Internet Documentation
Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21
Medium Resource Management Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory Documentation
Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3
Medium Resource Management Container should not share the host IPC namespace Documentation
CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2
Medium Resource Management CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node Documentation
Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61
Medium Resource Management Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes Documentation
CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f
Medium Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation
Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0
Medium Resource Management Container should not share the host network namespace Documentation
Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a
Medium Resource Management Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Documentation
Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9
Medium Secret Management A Service Account token is shared between workloads Documentation
Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5
Medium Secret Management Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs Documentation
Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6
Low Access Control Containers should be configured with AppArmor for any application to reduce its potential attack Documentation
Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1
Low Access Control Sees if Docker Daemon Socket is not exposed to Containers Documentation
Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd
Low Access Control Ensure that the cluster-admin role is only used where required (RBAC) Documentation
Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0
Low Availability Deployments should be assigned with a PodDisruptionBudget to ensure high availability Documentation
Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3
Low Availability In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it Documentation
HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110
Low Availability The Horizontal Pod Autoscale must target a valid object Documentation
StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf
Low Availability StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability Documentation
StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d
Low Availability StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. Documentation
Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e
Low Best Practices Check if any label in the metadata is invalid. Documentation
No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164
Low Best Practices Sees if Kubernetes Drop Capabilities exists to ensure containers security context Documentation
Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2
Low Build Process Check if the root container filesystem is not being mounted as read-only. Documentation
StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040
Low Build Process A StatefulSet requests volume storage. Documentation
Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883
Low Insecure Configurations A security context defines privilege and access control settings for a Pod or Container Documentation
Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e
Low Insecure Configurations Image Pull Policy of the container must be defined and set to Always Documentation
Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7
Low Insecure Configurations Images should be specified together with their digests to ensure integrity Documentation
Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad
Low Networking and Firewall Service type should not be NodePort Documentation
Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce
Low Networking and Firewall Verifies if Kubernetes workload's host port is specified Documentation
Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3
Low Resource Management Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d
Low Resource Management Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined Documentation
Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8
Low Secret Management Container should not use secrets as environment variables Documentation
Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8
Low Supply-Chain Image must be defined and not be empty or equal to latest. Documentation
### ALICLOUD
Bellow are listed queries related with Terraform ALICLOUD:
Query Severity Category Description Help
OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574
High Access Control OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. Documentation
Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975
High Access Control Ram policies with admin access should not be associated to users, groups or roles Documentation
OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a
High Access Control OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. Documentation
OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426
High Access Control OSS Bucket should have public access disabled Documentation
OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a
High Access Control OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. Documentation
OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6
High Access Control OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. Documentation
RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0
High Access Control RAM Security preferences should enforce MFA login for RAM users Documentation
RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598
High Encryption tde_status parameter should be Enabled for supported RDS instances Documentation
NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360
High Encryption NAS File System must be encrypted Documentation
Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5
High Encryption ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. Documentation
NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676
High Encryption NAS File System should have encryption provided by user KMS Documentation
Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85
High Encryption Ecs Data Disk Kms Key Id should be set Documentation
DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485
High Insecure Configurations The field 'address' should not be set to '0.0.0.0/0' Documentation
OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426
High Insecure Configurations Checks if any static websties are hosted on buckets. Be aware of any website you are running. Documentation
RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae
High Insecure Configurations '0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list Documentation
OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8
High Networking and Firewall OSS Bucket should have ip restricted access Documentation
Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968
High Networking and Firewall Alicloud Security Group Rule should not allow all ports or all protocols to the public Documentation
OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289
High Networking and Firewall OSS Buckets should have secure transport enabled Documentation
API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843
High Networking and Firewall API Gateway API protocol should be set to HTTPS Documentation
Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419
High Networking and Firewall A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol Documentation
ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7
High Networking and Firewall Application Load Balancer (alb) Listener should not listen on HTTP Documentation
RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1
High Observability All RDS Instance events trackers should be 'true' Documentation
ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b
High Observability ActionTrail Trail OSS Bucket should not be publicly accessible Documentation
Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053
High Secret Management Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above Documentation
Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e
High Secret Management Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts Documentation
Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5
Medium Access Control Ram policies should not be attached to users Documentation
CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e
Medium Availability Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true Documentation
OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba
Medium Backup OSS Bucket should have versioning enabled Documentation
ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0
Medium Backup The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group Documentation
ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855
Medium Build Process Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body Documentation
Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc
Medium Encryption Disks should have encryption enabled Documentation
OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd
Medium Encryption OSS Bucket should have encryption enabled using Customer Master Key Documentation
SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70
Medium Encryption SLB Policy should not support insecure versions of TLS protocol Documentation
CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073
Medium Insecure Configurations Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. Documentation
Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0
Medium Networking and Firewall A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned Documentation
Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d
Medium Networking and Firewall Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies Documentation
ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50
Medium Observability The ROS Stack Notifications should be defined and populated to receive stack related events Documentation
RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46
Medium Observability RDS Instance SQL Retention Period should be greater than 180 Documentation
OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1
Medium Observability OSS Bucket should have logging enabled, for better visibility of resources and objects. Documentation
Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb
Medium Observability Action Trail Logging for all regions should be enabled Documentation
Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390
Medium Observability OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. Documentation
No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681
Medium Resource Management ROS Stack should have a stack policy in order to protect stack resources from and during update actions Documentation
RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0
Medium Secret Management RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less Documentation
High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309
Medium Secret Management KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year Documentation
Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786
Medium Secret Management Ram Account Password Policy should have 'require_numbers' set to true Documentation
RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd
Medium Secret Management Ram Account Password Policy should have 'require_uppercase_characters' set to true Documentation
Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c
Medium Secret Management Ram Account Password Policy should have 'require_lowercase_characters' set to true Documentation
Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8
Medium Secret Management Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 Documentation
RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282
Medium Secret Management RAM account password security should require at least one symbol Documentation
OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413
Low Availability OSS Bucket should have transfer acceleration enabled Documentation
OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f
Low Backup OSS Bucket should have lifecycle rule enabled and set to true Documentation
RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e
Low Observability 'log_connections' parameter should be set to ON for RDS instances Documentation
RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98
Low Observability log_disconnections parameter should be set to ON for RDS instances Documentation
RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a
Low Observability log_duration parameter should be set to ON for RDS instances Documentation
VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71
Low Observability Every VPC resource should have an associated Flow Log Documentation
### AWS_BOM
Bellow are listed queries related with Terraform AWS_BOM:
Query Severity Category Description Help
BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca
Trace Bill Of Materials A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. Documentation
BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33
Trace Bill Of Materials A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. Documentation
BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0
Trace Bill Of Materials A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). Documentation
BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0
Trace Bill Of Materials A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. Documentation
BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380
Trace Bill Of Materials A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. Documentation
BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045
Trace Bill Of Materials A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Documentation
BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37
Trace Bill Of Materials A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. Documentation
BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc
Trace Bill Of Materials A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. Documentation
### AWS
Bellow are listed queries related with Terraform AWS:
Query Severity Category Description Help
S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44
High Access Control S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. Documentation
SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3
High Access Control SNS Topic Policy should not allow any principal to access Documentation
S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100
High Access Control S3 Buckets should not be readable and writable to all users Documentation
S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc
High Access Control S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. Documentation
EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd
High Access Control EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. Documentation
Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7
High Access Control Neptune Cluster Instance should not be publicly accessible Documentation
IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842
High Access Control IAM role policy that allow full administrative privileges (for all resources) Documentation
IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904
High Access Control IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. Documentation
S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832
High Access Control S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. Documentation
S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50
High Access Control S3 bucket allows public policy Documentation
S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4
High Access Control S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. Documentation
ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c
High Access Control ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role Documentation
S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09
High Access Control S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. Documentation
Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097
High Access Control Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139
High Access Control S3 Buckets should not be readable to any authenticated user Documentation
IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84
High Access Control IAM policies shouldn't allow full administrative privileges (for all resources) Documentation
S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885
High Access Control S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. Documentation
S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e
High Access Control S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals Documentation
MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857
High Access Control Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible Documentation
SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf
High Access Control Checks if the SQS Queue is exposed Documentation
User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee
High Encryption User Data Shell Script must be encoded Documentation
EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca
High Encryption The value on AWS EBS Volume Snapshot Encryptation must be true Documentation
RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2
High Encryption RDS Database Cluster Encryption should be enabled Documentation
EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6
High Encryption EBS Encryption should be enabled Documentation
ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c
High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. Documentation
IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6
High Encryption IAM Database Auth Enabled should be configured to true when using compatible engine and version Documentation
User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc
High Encryption User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily Documentation
Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99
High Encryption AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS Documentation
MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e
High Encryption Ensure MSK Cluster encryption in rest and transit is enabled Documentation
Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4
High Encryption Check if the redis version is compliant with the necessary AWS PCI DSS requirements Documentation
DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87
High Encryption AWS DAX Cluster should have server-side encryption at rest Documentation
Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21
High Encryption Check if secure ciphers aren't used in CloudFront Documentation
Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5
High Encryption Checks if the connection between the CloudFront and the origin server is encrypted Documentation
RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f
High Encryption RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' Documentation
ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec
High Encryption ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. Documentation
Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3
High Encryption Athena Workgroup query results should be encrypted, for all queries that run in the workgroup Documentation
CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd
High Encryption The CA certificate Identifier must be 'rds-ca-2019'. Documentation
DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a
High Encryption AWS DOCDB Cluster should be encrypted with a KMS encryption key Documentation
Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce
High Encryption AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) Documentation
Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8
High Encryption Sagemaker endpoint configuration should encrypt data Documentation
S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c
High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required Documentation
Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3
High Encryption AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled Documentation
EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281
High Encryption EKS Cluster should be encrypted Documentation
EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c
High Encryption Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys Documentation
ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c
High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. Documentation
Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3
High Encryption AWS Athena Database data in S3 should be encrypted Documentation
S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e
High Encryption S3 Bucket Object should have server-side encryption enabled Documentation
API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288
High Encryption API Gateway Method Settings Cache should be encrypted Documentation
CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879
High Encryption AWS CloudWatch Log groups should be encrypted using KMS Documentation
Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee
High Encryption Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled Documentation
DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6
High Encryption AWS DOCDB Cluster storage should be encrypted Documentation
AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2
High Encryption AWS AMI Encryption is not enabled Documentation
DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4
High Encryption AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. Documentation
Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88
High Encryption AWS Kinesis Streams and metadata should be protected with KMS Documentation
Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35
High Encryption Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled Documentation
ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f
High Encryption AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted Documentation
Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7
High Encryption AWS Workspaces Workspace data stored in volumes should be encrypted Documentation
Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838
High Encryption Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block Documentation
EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f
High Encryption Elastic File System (EFS) must be encrypted Documentation
CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340
High Encryption CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1
High Insecure Configurations RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). Documentation
S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d
High Insecure Configurations S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations Documentation
CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456
High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 Documentation
No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918
High Insecure Configurations IAM password policies should be set through the password minimum length and reset password attributes Documentation
ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1
High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations Documentation
DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0
High Insecure Configurations The CIDR IP should not be a public interface Documentation
KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899
High Insecure Configurations Checks if the policy is vulnerable and needs updating. Documentation
S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb
High Insecure Configurations Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. Documentation
S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1
High Insecure Configurations If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure Documentation
Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda
High Insecure Configurations AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) Documentation
Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee
High Insecure Configurations Batch Job Definition should not have Privileged Container Properties Documentation
Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2
High Insecure Configurations It is not advisable for AWS Lambda Functions to have privileged permissions. Documentation
S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293
High Insecure Configurations S3 bucket without restriction of public bucket Documentation
Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc
High Insecure Configurations The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. Documentation
API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b
High Insecure Configurations API Gateway should have a Security Policy defined and use TLS 1.2. Documentation
IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec
High Insecure Configurations Check if the root user is authenticated with MFA Documentation
Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef
High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. Documentation
EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709
High Networking and Firewall Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" Documentation
Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c
High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol Documentation
EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d
High Networking and Firewall EKS node group remote access is disabled when 'SourceSecurityGroups' is missing Documentation
HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7
High Networking and Firewall The HTTP port is open to the internet in a Security Group Documentation
Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db
High Networking and Firewall Security groups allow ingress from 0.0.0.0:0 Documentation
VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e
High Networking and Firewall VPC Peering Route Table should restrict CIDR Documentation
EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce
High Networking and Firewall EC2 Instance should not have a public IP address. Documentation
DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885
High Networking and Firewall The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it Documentation
Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73
High Networking and Firewall Check if default security group does not restrict all inbound and outbound traffic. Documentation
Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453
High Networking and Firewall Check if Record is set Documentation
Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4
High Networking and Firewall 'SSH' (TCP:22) should not be public in AWS Network ACL Documentation
Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22
High Networking and Firewall The Remote Desktop port is open to the internet in a Security Group Documentation
DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce
High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. Documentation
VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75
High Networking and Firewall Default Security Group attached to every VPC should restrict all traffic Documentation
Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25
High Networking and Firewall 'RDP' (TCP:3389) should not be public in AWS Network ACL Documentation
Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998
High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet Documentation
ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43
High Networking and Firewall AWS Application Load Balancer (alb) should not listen on HTTP Documentation
RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1
High Networking and Firewall RDS should not run in public subnet Documentation
Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696
High Networking and Firewall 'SSH' (TCP:22) should not be public in AWS Security Group Documentation
KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d
High Observability AWS KMS Key should have a valid deletion window Documentation
Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132
High Observability AWS Config Configuration Aggregator All Regions must be set to True Documentation
CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d
High Observability Ensure a log metric filter and alarm exist for IAM policy changes Documentation
CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4
High Observability CloudTrail Log Files S3 Bucket should have 'logging' enabled Documentation
CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933
High Observability Ensure a log metric filter and alarm exist for management console sign-in without MFA Documentation
CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774
High Observability Checks if logging is enabled for CloudTrail. Documentation
CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3
High Observability CloudTrail Log Files S3 Bucket should not be publicly accessible Documentation
CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b
High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. Documentation
CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5
High Observability Ensure a log metric filter and alarm exist for unauthorized API calls Documentation
CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0
High Observability Ensure a log metric filter and alarm exist for root acount usage Documentation
Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771
Medium Access Control Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12
Medium Access Control Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f
Medium Access Control User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503
Medium Access Control User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a
Medium Access Control User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485
Medium Access Control Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88
Medium Access Control User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69
Medium Access Control Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff
Medium Access Control Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871
Medium Access Control Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6
Medium Access Control User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d
Medium Access Control Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7
Medium Access Control Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b
Medium Access Control Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d
Medium Access Control Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3
Medium Access Control Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc
Medium Access Control SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. Documentation
Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4
Medium Access Control Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1
Medium Access Control Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b
Medium Access Control Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' Documentation
User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0
Medium Access Control User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde
Medium Access Control Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e
Medium Access Control Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a
Medium Access Control Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b
Medium Access Control Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27
Medium Access Control REST API policy should avoid wildcard in 'Action' and 'Principal' Documentation
Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267
Medium Access Control Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552
Medium Access Control AWS IAM Users should not have access to console Documentation
Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92
Medium Access Control Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a
Medium Access Control Amazon ECR image repositories shouldn't have public access Documentation
CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8
Medium Access Control CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' Documentation
Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f
Medium Access Control Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39
Medium Access Control The attribute 'action' should not have wildcard Documentation
User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081
Medium Access Control User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17
Medium Access Control Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216
Medium Access Control An API Key should be required on a method request. Documentation
User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa
Medium Access Control User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e
Medium Access Control AWS Elasticsearch should ensure IAM Authentication Documentation
User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c
Medium Access Control User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7
Medium Access Control User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec
Medium Access Control Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba
Medium Access Control Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. Documentation
SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3
Medium Access Control SQS policy allows ALL (*) actions Documentation
Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51
Medium Access Control Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328
Medium Access Control User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5
Medium Access Control Neptune Cluster should have IAM Database Authentication enabled Documentation
Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca
Medium Access Control Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77
Medium Access Control User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46
Medium Access Control Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
API Gateway Without Configured Authorizer
ed35928e-195c-4405-a252-98ccb664ab7C
Medium Access Control API Gateway REST API should have an API Gateway Authorizer Documentation
Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f
Medium Access Control Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22
Medium Access Control Glue policy should avoid wildcard in 'principals' and 'actions' Documentation
Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593
Medium Access Control Public and private EC2 istances should not share the same role. Documentation
User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5
Medium Access Control User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e
Medium Access Control Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa
Medium Access Control User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12
Medium Access Control User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf
Medium Access Control Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f
Medium Access Control Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue Documentation
IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a
Medium Access Control Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources Documentation
Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2
Medium Access Control Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74
Medium Access Control Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77
Medium Access Control Allowing to run lambda function using public API Gateway Documentation
Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e
Medium Access Control Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c
Medium Access Control Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4
Medium Access Control User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433
Medium Access Control User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2
Medium Access Control Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204
Medium Access Control Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f
Medium Access Control S3 bucket allows public ACL Documentation
IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46
Medium Access Control Check if IAM Access Key is active for some user besides 'root' Documentation
Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c
Medium Access Control Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b
Medium Access Control User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6
Medium Access Control Expired SSL/TLS certificates should be removed Documentation
Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347
Medium Access Control Lambda Permission Principal should not contain a wildcard. Documentation
Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54
Medium Access Control All policies, except IAM identity-based policies, should have the 'Principal' element defined Documentation
Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990
Medium Access Control Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf
Medium Access Control Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698
Medium Access Control Limits access to AWS AMIs by checking if more than one account is using the same image Documentation
SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963
Medium Access Control SES policy should not allow IAM actions to all principals Documentation
IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e
Medium Access Control IAM policies should be attached only to groups or roles Documentation
Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69
Medium Access Control Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512
Medium Access Control User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e
Medium Access Control Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access Documentation
ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d
Medium Availability ElastiCache Nodes should have 'az_mode' set to 'cross-az' in in multi nodes cluster Documentation
CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50
Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true Documentation
Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505
Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. Documentation
ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed
Medium Availability ECS Service should have at least 1 task running Documentation
ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab
Medium Backup ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 Documentation
Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97
Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction Documentation
RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02
Medium Backup Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup Documentation
IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48
Medium Best Practices IAM password should have the required symbols Documentation
ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379
Medium Best Practices It's considered a best practice when using Application Load Balancers to drop invalid header fields Documentation
Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0
Medium Best Practices AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users Documentation
Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90
Medium Best Practices No password expiration policy Documentation
RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02
Medium Best Practices RDS Cluster backup retention period should be specifically defined Documentation
IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9
Medium Best Practices IAM Password should have at least one lowercase letter Documentation
Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a
Medium Best Practices Check if IAM account password has the reuse password configured with 24 Documentation
IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249
Medium Best Practices IAM password should have at least one uppercase letter Documentation
IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d
Medium Best Practices IAM password should have the required minimum length Documentation
Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4
Medium Build Process AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body Documentation
API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b
Medium Encryption API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. Documentation
Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7
Medium Encryption Checks if the ECR Image has been scanned Documentation
S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9
Medium Encryption S3 Bucket policy should not accept HTTP Requests Documentation
AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702
Medium Encryption AmazonMQ Broker should have Encryption Options defined Documentation
ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a
Medium Encryption Check if ElasticSearch encryption is disabled at Rest Documentation
DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294
Medium Encryption AWS DynamoDB Tables should have server-side encryption Documentation
Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2
Medium Encryption Elasticsearch Domain encryption should be enabled node to node Documentation
Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f
Medium Encryption Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e
Medium Encryption Neptune database cluster storage should have encryption enabled Documentation
Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3
Medium Encryption Check if the Memcached is disabled on the ElastiCache Documentation
SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591
Medium Encryption SNS (Simple Notification Service) Topic should be encrypted Documentation
EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12
Medium Encryption EBS volumes should be encrypted Documentation
Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd
Medium Encryption AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret Documentation
DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d
Medium Encryption DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c
Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. Documentation
ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e
Medium Encryption ElastiCache Replication Group encryption should be enabled at Transit Documentation
SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433
Medium Encryption SSM Session should be encrypted in transit Documentation
ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2
Medium Encryption Check if any ElasticSearch domain isn't encrypted with KMS. Documentation
ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2
Medium Encryption ElastiCache Replication Group encryption should be enabled at Rest Documentation
SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f
Medium Encryption SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f
Medium Encryption Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) Documentation
ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb
Medium Insecure Configurations ECR should have an image tag be immutable. This prevents image tags from being overwritten. Documentation
EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8
Medium Insecure Configurations Amazon EKS public endpoint shoud be set to false Documentation
AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76
Medium Insecure Configurations Unchangeable passwords in AWS password policy Documentation
MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb
Medium Insecure Configurations Check if any MQ Broker is not publicly accessible Documentation
Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3
Medium Insecure Configurations Redshift Cluster should be configured in VPC (Virtual Private Cloud) Documentation
IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5
Medium Insecure Configurations Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials Documentation
API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8
Medium Insecure Configurations API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. Documentation
API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440
Medium Insecure Configurations SSL Client Certificate should be enabled Documentation
Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b
Medium Insecure Configurations The certificate should use a RSA key with a length equal to or higher than 256 bytes Documentation
Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9
Medium Insecure Configurations Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). Documentation
Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e
Medium Insecure Configurations EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. Documentation
SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d
Medium Networking and Firewall SQS VPC Endpoint should have DNS resolution enabled Documentation
VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c
Medium Networking and Firewall VPC Subnet should not assign public IP Documentation
Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1
Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol Documentation
VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a
Medium Networking and Firewall VPC should have a Network Firewall associated Documentation
API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1
Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet Documentation
Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0
Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol Documentation
API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884
Medium Networking and Firewall API Gateway should have WAF (Web Application Firewall) enabled Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0
Medium Networking and Firewall Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. Documentation
ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7
Medium Networking and Firewall All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service Documentation
Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d
Medium Networking and Firewall Dynamodb VPC Endpoint should be associated with Route Table Association Documentation
API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326
Medium Observability API Gateway should have Access Log Settings defined Documentation
API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36
Medium Observability AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation Documentation
API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296
Medium Observability API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. Documentation
Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2
Medium Observability AWS Elasticsearch should have logs enabled Documentation
CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf
Medium Observability Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK Documentation
Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480
Medium Observability Ensure a log metric filter and alarm exist for CloudTrail configuration changes Documentation
Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13
Medium Observability It isn't recommended to use resources in default VPC Documentation
S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07
Medium Observability S3 Bucket object-level CloudTrail logging should be enabled for read and write events Documentation
S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c
Medium Observability S3 bucket should have versioning enabled Documentation
CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13
Medium Observability Ensure a log metric filter and alarm exist for S3 bucket policy changes Documentation
CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5
Medium Observability Checks if CloudWatch Metrics is Enabled Documentation
ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45
Medium Observability Ensure that AWS Elasticsearch enables support for slow logs Documentation
CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e
Medium Observability CloudTrail should be integrated with CloudWatch Documentation
GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473
Medium Observability Make sure that Amazon GuardDuty is Enabled Documentation
MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a
Medium Observability Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). Documentation
MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239
Medium Observability Ensure MSK Cluster Logging is enabled Documentation
CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd
Medium Observability Check if SNS topic name is set for CloudTrail Documentation
Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006
Medium Observability Ensure a log metric filter and alarm exist for security group changes Documentation
CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5
Medium Observability AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined Documentation
API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b
Medium Observability API Gateway should have X-Ray Tracing enabled Documentation
CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919
Medium Observability Ensure a log metric filter and alarm exist for AWS Management Console authentication failures Documentation
Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa
Medium Observability Make sure Logging is enabled for Redshift Cluster Documentation
CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d
Medium Observability CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled Documentation
CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755
Medium Observability AWS CloudWatch Log groups should have retention days specified Documentation
CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3
Medium Observability Ensure a log metric filter and alarm exist for AWS organizations changes Documentation
ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79
Medium Observability ELB should have logging enabled to help on error investigation Documentation
Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09
Medium Observability AWS CloudFormation should have stack notifications enabled to be notified when an event occurs Documentation
CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967
Medium Observability Check if CloudWatch logging is disabled for Route53 hosted zones Documentation
S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884
Medium Observability Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable Documentation
No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052
Medium Resource Management AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions Documentation
Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b
Medium Secret Management AWS Access Key should not be hardcoded Documentation
Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce
Medium Secret Management Lambda access/secret keys should not be hardcoded Documentation
IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044
Low Access Control IAM Group should have at least one user associated Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97
Low Access Control IAM Policy should not grant 'AssumeRole' permission across all services. Documentation
S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920
Low Access Control S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' Documentation
IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21
Low Access Control IAM role allows all services or principals to assume it Documentation
EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158
Low Access Control EC2 instances should use roles to be granted access to other AWS services Documentation
EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432
Low Access Control EC2 instances should not use default security group(s) Documentation
Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587
Low Availability Autoscaling groups should supply tags to configurate Documentation
IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370
Low Best Practices IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions Documentation
ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d
Low Best Practices ECR Repository should have Policies attached to it Documentation
CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52
Low Best Practices Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. Documentation
Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0
Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' Documentation
Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f
Low Best Practices RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. Documentation
Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd
Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' Documentation
ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157
Low Encryption ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation Documentation
S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91
Low Insecure Configurations S3 bucket without ignore public ACL Documentation
ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4
Low Insecure Configurations Application Load Balancer should have deletion protection enabled Documentation
RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26
Low Networking and Firewall RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 Documentation
ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc
Low Networking and Firewall ElastiCache should be launched in a Virtual Private Cloud (VPC) Documentation
ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0
Low Networking and Firewall ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 Documentation
EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1
Low Networking and Firewall EC2 Instances should not be configured under a default VPC network Documentation
CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333
Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service Documentation
EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4
Low Networking and Firewall Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) Documentation
Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f
Low Networking and Firewall Redshift should not use the default port (5439) because an attacker can easily guess the port Documentation
Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12
Low Networking and Firewall AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks Documentation
Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df
Low Observability Amazon EKS control plane logging don't enabled for all log types Documentation
CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e
Low Observability Ensure a log metric filter and alarm exist for network gateways changes Documentation
EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf
Low Observability Amazon EKS control plane logging is not enabled Documentation
ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc
Low Observability ECS Cluster should enable container insights Documentation
Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1
Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' Documentation
CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b
Low Observability Ensure a log metric filter and alarm exist for VPC changes Documentation
CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669
Low Observability CloudTrail log file validation should be enabled to determine whether a log file has not been tampered Documentation
CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216
Low Observability Ensure a log metric filter and alarm exist for route table changes Documentation
Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369
Low Observability Global Accelerator should have flow logs enabled Documentation
CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f
Low Observability Ensure a log metric filter and alarm exist for AWS Config configuration changes Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034
Low Observability API Gateway Deployment should have API Gateway UsagePlan defined and associated. Documentation
CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0
Low Observability Ensure a log metric filter and alarm exist for changes to NACL Documentation
CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7
Low Observability Logs delivered by CloudTrail should be encrypted using KMS Documentation
VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047
Low Observability Every VPC resource should have an associated Flow Log Documentation
DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641
Low Observability DocDB logging should be enabled Documentation
API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e
Low Resource Management API Gateway Stage should have API Gateway UsagePlan defined and associated. Documentation
Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24
Info Access Control Security group must be used or not declared Documentation
Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e
Info Best Practices It's considered a best practice for all rules in AWS Security Group to have a description Documentation
Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10
Info Best Practices AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' Documentation
Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c
Info Best Practices It's considered a best practice for AWS Security Group to have a description Documentation
DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e
Info Best Practices It's considered a best practice to have point in time recovery enabled for DynamoDB Table Documentation
EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766
Info Best Practices It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance Documentation
RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56
Info Observability RDS does not have any kind of logger Documentation
EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6
Info Observability EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods Documentation
Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8
Info Observability Neptune logging should be enabled Documentation
### SHARED (V2/V3)
Bellow are listed queries related with Terraform SHARED (V2/V3):
Query Severity Category Description Help
Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd
Info Best Practices All generic git repositories should reference a revision. Documentation
Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b
Info Best Practices All variables should contain a valid description. Documentation
Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66
Info Best Practices All names should follow snake case pattern. Documentation
Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a
Info Best Practices All variables should contain a valid type. Documentation
Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8
Info Best Practices All outputs should contain a valid description. Documentation
### GCP
Bellow are listed queries related with Terraform GCP:
Query Severity Category Description Help
VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d
High Access Control A VM instance is configured to use the default service account with full access to all Cloud APIs Documentation
Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3
High Access Control Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' Documentation
OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217
High Access Control Verifies that the OSLogin is enabled Documentation
BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4
High Access Control BigQuery dataset is anonymously or publicly accessible Documentation
Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd
High Access Control Cloud Storage Bucket is anonymously or publicly accessible Documentation
SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79
High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances Documentation
KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5
High Encryption KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' Documentation
SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00
High Encryption Cloud SQL Database Instance should have SLL enabled Documentation
DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860
High Encryption DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. Documentation
IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0
High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE Documentation
Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21
High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty Documentation
Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088
High Insecure Configurations Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true Documentation
Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d
High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined Documentation
Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b
High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true Documentation
SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb
High Insecure Configurations Cloud SQL instances should not be publicly accessible. Documentation
Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7
High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false Documentation
GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067
High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true Documentation
Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e
High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true Documentation
GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719
High Insecure Configurations GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty Documentation
Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa
High Insecure Configurations Gmail accounts are being used instead of corporate credentials Documentation
Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694
High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' Documentation
IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4
High Observability Audit Logging Configuration is defective Documentation
Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944
High Observability Cloud Storage Bucket should have versioning enabled Documentation
Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d
High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' Documentation
Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120
High Observability Cloud storage bucket should have logging enabled Documentation
Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa
High Resource Management Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters Documentation
Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c
Medium Access Control Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated Documentation
Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40
Medium Access Control Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated Documentation
KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680
Medium Access Control Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member Documentation
Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2
Medium Access Control Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated Documentation
Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336
Medium Encryption This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers Documentation
Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38
Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined Documentation
Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0
Medium Insecure Configurations Google Storage Bucket Level Access should be enabled Documentation
COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58
Medium Insecure Configurations The node image should be Container-Optimized OS(COS) Documentation
OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f
Medium Insecure Configurations Check if any VM instance disables OSLogin Documentation
Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351
Medium Insecure Configurations Verifies if the Google Project Auto Create Network is Disabled Documentation
Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e
Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true Documentation
Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb
Medium Insecure Configurations DNSSEC must be enabled for Cloud DNS Documentation
Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751
Medium Insecure Configurations Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone Documentation
Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332
Medium Insecure Configurations Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. Documentation
GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38
Medium Insecure Defaults Kubernetes Engine Clusters should not be configured to use the default service account Documentation
Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff
Medium Insecure Defaults Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. Documentation
SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0
Medium Networking and Firewall Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges Documentation
Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33
Medium Networking and Firewall Google Compute Network should not use default firewall rule Documentation
RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3
Medium Networking and Firewall Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 Documentation
IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89
Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true Documentation
Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78
Medium Networking and Firewall Google Compute Network should not use a firewall rule that allows all ports Documentation
Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609
Medium Observability This query checks if logs are enabled for a Google Compute Subnetwork resource. Documentation
Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672
Medium Resource Management Service account should not have improper privileges like admin, editor, owner, or write roles Documentation
Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01
Medium Secret Management VM Instance should block project-wide SSH keys Documentation
High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027
Medium Secret Management KMS Rotation Period should be greater than 365 days. Documentation
High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b
Medium Secret Management Encryption keys should be changed after 90 days Documentation
User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918
Low Best Practices As a best practice, it is better to assign an IAM Role to a group than to a user Documentation
Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4
Low Networking and Firewall Google Compute Network should not use a firewall rule that allows port range Documentation
Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5
Low Networking and Firewall Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true Documentation
### GITHUB
Bellow are listed queries related with Terraform GITHUB:
Query Severity Category Description Help
Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9
Medium Encryption Check if insecure SSL is being used in the GitHub organization webhooks Documentation
GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b
Medium Insecure Configurations Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') Documentation