All

Queries List¶

This page contains all queries.

Query	Platform	Severity	Category	Description	Help
S3 Bucket Allows List Action From All Principals ^{_{faa8fddf-c0aa-4b2d-84ff-e993e233ebe9}}	CloudFormation	High	Access Control	S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)	Documentation
MSK Broker Is Publicly Accessible ^{_{0ce1ba20-8ba8-4364-836f-40c24b8cb0ab}}	CloudFormation	High	Access Control	Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)	Documentation
S3 Bucket Allows Get Action From All Principals ^{_{f97b7d23-568f-4bcc-9ac9-02df0d57fbba}}	CloudFormation	High	Access Control	S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)	Documentation
S3 Bucket Allows Restore Actions From All Principals ^{_{456b00a3-1072-4149-9740-6b8bb60251b0}}	CloudFormation	High	Access Control	S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)	Documentation
S3 Bucket ACL Allows Read to All Users ^{_{219f4c95-aa50-44e0-97de-cf71f4641170}}	CloudFormation	High	Access Control	S3 Buckets should not be readable to all users (read more)	Documentation
IAM Policy Grants Full Permissions ^{_{f62aa827-4ade-4dc4-89e4-1433d384a368}}	CloudFormation	High	Access Control	IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)	Documentation
ECS Service Admin Role Is Present ^{_{01986452-bdd8-4aaa-b5df-d6bf61d616ff}}	CloudFormation	High	Access Control	ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)	Documentation
S3 Bucket ACL Allows Read to Any Authenticated User ^{_{835d5497-a526-4aea-a23f-98a9afd1635f}}	CloudFormation	High	Access Control	S3 Buckets should not be readable to any authenticated user (read more)	Documentation
S3 Bucket Allows Public Policy ^{_{860ba89b-b8de-4e72-af54-d6aee4138a69}}	CloudFormation	High	Access Control	S3 bucket allows public policy (read more)	Documentation
IAM Policies With Full Privileges ^{_{953b3cdb-ce13-428a-aa12-318726506661}}	CloudFormation	High	Access Control	IAM policies shouldn't allow full administrative privileges (for all resources) (read more)	Documentation
S3 Bucket Allows Delete Action From All Principals ^{_{acc78859-765e-4011-a229-a65ea57db252}}	CloudFormation	High	Access Control	S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)	Documentation
S3 Bucket Access to Any Principal ^{_{7772bb8c-c0f3-42d4-8e4e-f1b8939ad085}}	CloudFormation	High	Access Control	The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)	Documentation
S3 Bucket With All Permissions ^{_{4ae8af91-5108-42cb-9471-3bdbe596eac9}}	CloudFormation	High	Access Control	S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)	Documentation
Amazon DMS Replication Instance Is Publicly Accessible ^{_{5864fb39-d719-4182-80e2-89dbe627be63}}	CloudFormation	High	Access Control	Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)	Documentation
SNS Topic is Publicly Accessible ^{_{ae53ce91-42b5-46bf-a84f-9a13366a4f13}}	CloudFormation	High	Access Control	SNS Topic Policy should not allow any principal to access (read more)	Documentation
S3 Bucket ACL Allows Read Or Write to All Users ^{_{07dda8de-d90d-469e-9b37-1aca53526ced}}	CloudFormation	High	Access Control	S3 Buckets should not be readable and writable to all users (read more)	Documentation
Lambda Functions With Full Privileges ^{_{a0ae0a4e-712b-4115-8112-51b9eeed9d69}}	CloudFormation	High	Access Control	AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)	Documentation
S3 Bucket Allows Put Action From All Principals ^{_{f6397a20-4cf1-4540-a997-1d363c25ef58}}	CloudFormation	High	Access Control	S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)	Documentation
User Data Shell Script Is Encoded ^{_{48c3bc58-6959-4f27-b647-4fedeace23be}}	CloudFormation	High	Encryption	User Data Shell Script must be encoded (read more)	Documentation
ECS Cluster Not Encrypted At Rest ^{_{6c131358-c54d-419b-9dd6-1f7dd41d180c}}	CloudFormation	High	Encryption	Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)	Documentation
ELB Without Secure Protocol ^{_{80908a75-586b-4c61-ab04-490f4f4525b8}}	CloudFormation	High	Encryption	Check if the ELB is setup with SSL or HTTPS for secure communication (read more)	Documentation
Redshift Cluster Without KMS CMK ^{_{de76a0d6-66d5-45c9-9022-f05545b85c78}}	CloudFormation	High	Encryption	AWS Redshift Cluster should have KMS CMK defined (read more)	Documentation
CloudFormation Specifying Credentials Not Safe ^{_{9ecb6b21-18bc-4aa7-bd07-db20f1c746db}}	CloudFormation	High	Encryption	Specifying credentials in the template itself is probably not safe to do. (read more)	Documentation
IAM Database Auth Not Enabled ^{_{9fcd0a0a-9b6f-4670-a215-d94e6bf3f184}}	CloudFormation	High	Encryption	IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)	Documentation
S3 Bucket SSE Disabled ^{_{64ab651b-f5b2-4af0-8c89-ddd03c4d0e61}}	CloudFormation	High	Encryption	If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)	Documentation
S3 Bucket Without SSL In Write Actions ^{_{38c64e76-c71e-4d92-a337-60174d1de1c9}}	CloudFormation	High	Encryption	S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)	Documentation
EFS Without KMS ^{_{6d087495-2a42-4735-abf7-02ef5660a7e6}}	CloudFormation	High	Encryption	Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)	Documentation
ELB Using Insecure Protocols ^{_{61a94903-3cd3-4780-88ec-fc918819b9c8}}	CloudFormation	High	Encryption	ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)	Documentation
RDS Storage Not Encrypted ^{_{5beacce3-4020-4a3d-9e1d-a36f953df630}}	CloudFormation	High	Encryption	RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)	Documentation
S3 Bucket Without Server-side-encryption ^{_{b2e8752c-3497-4255-98d2-e4ae5b46bbf5}}	CloudFormation	High	Encryption	S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)	Documentation
Kinesis SSE Not Configured ^{_{7f65be75-90ab-4036-8c2a-410aef7bb650}}	CloudFormation	High	Encryption	AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)	Documentation
EFS Volume With Disabled Transit Encryption ^{_{c1282e03-b285-4637-aee7-eefe3a7bb658}}	CloudFormation	High	Encryption	Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)	Documentation
ElastiCache With Disabled at Rest Encryption ^{_{e4ee3903-9225-4b6a-bdfb-e62dbadef821}}	CloudFormation	High	Encryption	Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)	Documentation
Secure Ciphers Disabled ^{_{be96849c-3df6-49c2-bc16-778a7be2519c}}	CloudFormation	High	Encryption	Check if secure ciphers aren't used in CloudFront (read more)	Documentation
API Gateway Cache Encrypted Disabled ^{_{37cca703-b74c-48ba-ac81-595b53398e9b}}	CloudFormation	High	Encryption	'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)	Documentation
Connection Between CloudFront Origin Not Encrypted ^{_{a5366a50-932f-4085-896b-41402714a388}}	CloudFormation	High	Encryption	Checks if the connection between the CloudFront and the origin server is encrypted (read more)	Documentation
ECS Task Definition Container With Plaintext Password ^{_{f9b10cdb-eaab-4e39-9793-e12b94a582ad}}	CloudFormation	High	Encryption	It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)	Documentation
User Data Contains Encoded Private Key ^{_{568cc372-ca64-420d-9015-ee347d00d288}}	CloudFormation	High	Encryption	User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)	Documentation
DynamoDB With Aws Owned CMK ^{_{c8dee387-a2e6-4a73-a942-183c975549ac}}	CloudFormation	High	Encryption	AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)	Documentation
ELB Using Weak Ciphers ^{_{809f77f8-d10e-4842-a84f-3be7b6ff1190}}	CloudFormation	High	Encryption	ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)	Documentation
SageMaker Data Encryption Disabled ^{_{709e6da6-fa1f-44cc-8f17-7f25f96dadbe}}	CloudFormation	High	Encryption	Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)	Documentation
ElastiCache With Disabled Transit Encryption ^{_{3b02569b-fc6f-4153-b3a3-ba91022fed68}}	CloudFormation	High	Encryption	Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)	Documentation
MSK Cluster Encryption Disabled ^{_{a976d63f-af0e-46e8-b714-8c1a9c4bf768}}	CloudFormation	High	Encryption	Ensure MSK Cluster encryption in rest and transit is enabled (read more)	Documentation
Redshift Not Encrypted ^{_{3b316b05-564c-44a7-9c3f-405bb95e211e}}	CloudFormation	High	Encryption	AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)	Documentation
Cloudfront Viewer Protocol Policy Allows HTTP ^{_{31733ee2-fef0-4e87-9778-65da22a8ecf1}}	CloudFormation	High	Encryption	Checks if the connection between CloudFront and the viewer is encrypted (read more)	Documentation
EFS Not Encrypted ^{_{2ff8e83c-90e1-4d68-a300-6d652112e622}}	CloudFormation	High	Encryption	Elastic File System (EFS) must be encrypted (read more)	Documentation
CMK Unencrypted Storage ^{_{ffee2785-c347-451e-89f3-11aeb08e5c84}}	CloudFormation	High	Encryption	Ensure that storage is encrypted. (read more)	Documentation
API Gateway Without Security Policy ^{_{8275fab0-68ec-4705-bbf4-86975edb170e}}	CloudFormation	High	Insecure Configurations	API Gateway should have a Security Policy defined and use TLS 1.2. (read more)	Documentation
Redshift Publicly Accessible ^{_{bdf8dcb4-75df-4370-92c4-606e4ae6c4d3}}	CloudFormation	High	Insecure Configurations	AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)	Documentation
KMS Key With Full Permissions ^{_{da905474-7454-43c0-b8d2-5756ab951aba}}	CloudFormation	High	Insecure Configurations	The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)	Documentation
S3 Bucket With Unsecured CORS Rule ^{_{3609d27c-3698-483a-9402-13af6ae80583}}	CloudFormation	High	Insecure Configurations	If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)	Documentation
RDS DB Instance Publicly Accessible ^{_{de38e1d5-54cb-4111-a868-6f7722695007}}	CloudFormation	High	Insecure Configurations	RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)	Documentation
ECS Task Definition Network Mode Not Recommended ^{_{027a4b7a-8a59-4938-a04f-ed532512cf45}}	CloudFormation	High	Insecure Configurations	Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)	Documentation
Batch Job Definition With Privileged Container Properties ^{_{76ddf32c-85b1-4808-8935-7eef8030ab36}}	CloudFormation	High	Insecure Configurations	Batch Job Definition should not have Privileged Container Properties (read more)	Documentation
S3 Static Website Host Enabled ^{_{90501b1b-cded-4cc1-9e8b-206b85cda317}}	CloudFormation	High	Insecure Configurations	Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)	Documentation
S3 Bucket Without Restriction Of Public Bucket ^{_{350cd468-0e2c-44ef-9d22-cfb73a62523c}}	CloudFormation	High	Insecure Configurations	S3 bucket without restriction of public bucket (read more)	Documentation
Root Account Has Active Access Keys ^{_{4c137350-7307-4803-8c04-17c09a7a9fcf}}	CloudFormation	High	Insecure Configurations	The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)	Documentation
CloudFront Without Minimum Protocol TLS 1.2 ^{_{dc17ee4b-ddf2-4e23-96e8-7a36abad1303}}	CloudFormation	High	Insecure Configurations	CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)	Documentation
Permissive Web ACL Default Action ^{_{6d64f311-3da6-45f3-80f1-14db9771ea40}}	CloudFormation	High	Insecure Defaults	WebAcl DefaultAction should not be ALLOW (read more)	Documentation
Vulnerable Default SSL Certificate ^{_{b4d9c12b-bfba-4aeb-9cb8-2358546d8041}}	CloudFormation	High	Insecure Defaults	CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)	Documentation
EC2 Instance Subnet Has Public IP Mapping On Launch ^{_{b3de4e4c-14be-4159-b99d-9ad194365e4c}}	CloudFormation	High	Networking and Firewall	EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)	Documentation
Remote Desktop Port Open To Internet ^{_{c9846969-d066-431f-9b34-8c4abafe422a}}	CloudFormation	High	Networking and Firewall	The Remote Desktop port is open to the internet in a Security Group (read more)	Documentation
Security Group Unrestricted Access To RDP ^{_{3ae83918-7ec7-4cb8-80db-b91ef0f94002}}	CloudFormation	High	Networking and Firewall	Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)	Documentation
DB Security Group With Public Scope ^{_{9564406d-e761-4e61-b8d7-5926e3ab8e79}}	CloudFormation	High	Networking and Firewall	The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)	Documentation
Route53 Record Undefined ^{_{24d932e1-91f0-46ea-836f-fdbd81694151}}	CloudFormation	High	Networking and Firewall	Route53 HostedZone must have the Record Set defined. (read more)	Documentation
EC2 Public Instance Exposed Through Subnet ^{_{c44c95fc-ae92-4bb8-bdf8-bb9bc412004a}}	CloudFormation	High	Networking and Firewall	EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)	Documentation
Security Groups With Exposed Admin Ports ^{_{cdbb0467-2957-4a77-9992-7b55b29df7b7}}	CloudFormation	High	Networking and Firewall	Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)	Documentation
EC2 Network ACL Overlapping Ports ^{_{77b6f1e2-bde4-4a6a-ae7e-a40659ff1576}}	CloudFormation	High	Networking and Firewall	NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)	Documentation
Unrestricted Security Group Ingress ^{_{4a1e6b34-1008-4e61-a5f2-1f7c276f8d14}}	CloudFormation	High	Networking and Firewall	AWS Security Group Ingress CIDR should not be open to the world (read more)	Documentation
Fully Open Ingress ^{_{e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5}}	CloudFormation	High	Networking and Firewall	ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)	Documentation
Elasticsearch with HTTPS disabled ^{_{4cdc88e6-c0c8-4081-a639-bb3a557cbedf}}	CloudFormation	High	Networking and Firewall	Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)	Documentation
Unknown Port Exposed To Internet ^{_{829ce3b8-065c-41a3-ad57-e0accfea82d2}}	CloudFormation	High	Networking and Firewall	AWS Security Group should not have an unknown port exposed to the entire Internet (read more)	Documentation
HTTP Port Open To Internet ^{_{ddfc4eaa-af23-409f-b96c-bf5c45dc4daa}}	CloudFormation	High	Networking and Firewall	The HTTP port is open to the internet in a Security Group (read more)	Documentation
Default Security Groups With Unrestricted Traffic ^{_{ea33fcf7-394b-4d11-a228-985c5d08f205}}	CloudFormation	High	Networking and Firewall	Check if default security group does not restrict all inbound and outbound traffic. (read more)	Documentation
SageMaker Notebook Not Placed In VPC ^{_{9c7028d9-04c2-45be-b8b2-1188ccaefb36}}	CloudFormation	High	Networking and Firewall	SageMaker Notebook must be placed in a VPC (read more)	Documentation
Security Groups Allows Unrestricted Outbound Traffic ^{_{66f2d8f9-a911-4ced-ae27-34f09690bb2c}}	CloudFormation	High	Networking and Firewall	No security group should allow unrestricted egress access (read more)	Documentation
Security Groups With Meta IP ^{_{adcd0082-e90b-4b63-862b-21899f6e6a48}}	CloudFormation	High	Networking and Firewall	Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)	Documentation
ELB Sensitive Port Is Exposed To Entire Network ^{_{78055456-f670-4d2e-94d5-392d1cf4f5e4}}	CloudFormation	High	Networking and Firewall	The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)	Documentation
RDS Associated with Public Subnet ^{_{4e88adee-a8eb-4605-a78d-9fb1096e3091}}	CloudFormation	High	Networking and Firewall	RDS should not run in public subnet (read more)	Documentation
EKS node group remote access ^{_{73d59e76-a12c-4b74-a3d8-d3e1e19c25b3}}	CloudFormation	High	Networking and Firewall	Ensure Amazon EKS Node group has implict SSH access (read more)	Documentation
ALB Listening on HTTP ^{_{275a3217-ca37-40c1-a6cf-bb57d245ab32}}	CloudFormation	High	Networking and Firewall	AWS Application Load Balancer (alb) should not listen on HTTP (read more)	Documentation
EC2 Sensitive Port Is Publicly Exposed ^{_{494b03d3-bf40-4464-8524-7c56ad0700ed}}	CloudFormation	High	Networking and Firewall	The EC2 instance has a sensitive port connection exposed to the entire network (read more)	Documentation
Security Group With Unrestricted Access To SSH ^{_{6e856af2-62d7-4ba2-adc1-73b62cef9cc1}}	CloudFormation	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Security Group (read more)	Documentation
DB Security Group Open To Large Scope ^{_{0104165b-02d5-426f-abc9-91fb48189899}}	CloudFormation	High	Networking and Firewall	The IP address in a DB Security Group must not have more than 256 hosts. (read more)	Documentation
CloudTrail Logging Disabled ^{_{5c0b06d5-b7a4-484c-aeb0-75a836269ff0}}	CloudFormation	High	Observability	Checks if logging is enabled for CloudTrail. (read more)	Documentation
CMK Rotation Disabled ^{_{1c07bfaf-663c-4f6f-b22b-8e2d481e4df5}}	CloudFormation	High	Observability	Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)	Documentation
S3 Bucket CloudTrail Logging Disabled ^{_{c3ce69fd-e3df-49c6-be78-1db3f802261c}}	CloudFormation	High	Observability	Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)	Documentation
Elasticsearch Without IAM Authentication ^{_{5c666ed9-b586-49ab-9873-c495a833b705}}	CloudFormation	Medium	Access Control	AWS Elasticsearch should ensure IAM Authentication (read more)	Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously ^{_{818f38ed-8446-4132-9c03-474d49e10195}}	CloudFormation	Medium	Access Control	SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)	Documentation
SQS Policy With Public Access ^{_{9b6a3f5b-5fd6-40ee-9bc0-ed604911212d}}	CloudFormation	Medium	Access Control	Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)	Documentation
Empty Roles For ECS Cluster Task Definitions ^{_{7f384a5f-b5a2-4d84-8ca3-ee0a5247becb}}	CloudFormation	Medium	Access Control	Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)	Documentation
IoT Policy Allows Action as Wildcard ^{_{4d32780f-43a4-424a-a06d-943c543576a5}}	CloudFormation	Medium	Access Control	IoT Policy should not allow Action to be set as * (read more)	Documentation
KMS Allows Wildcard Principal ^{_{f6049677-ec4a-43af-8779-5190b6d03cba}}	CloudFormation	Medium	Access Control	KMS Should not allow Principal parameter to be set as * (read more)	Documentation
EC2 Instance Has No IAM Role ^{_{f914357d-8386-4d56-9ba6-456e5723f9a6}}	CloudFormation	Medium	Access Control	Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)	Documentation
EC2 Network ACL Ineffective Denied Traffic ^{_{2623d682-dccb-44cd-99d0-54d9fd62f8f2}}	CloudFormation	Medium	Access Control	Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)	Documentation
Public Lambda via API Gateway ^{_{57b12981-3816-4c31-b190-a1e614361dd2}}	CloudFormation	Medium	Access Control	Allowing to run lambda function using public API Gateway (read more)	Documentation
IAM Policy On User ^{_{e4239438-e639-44aa-adb8-866e400e3ade}}	CloudFormation	Medium	Access Control	IAM policies should be applied to groups and not to users (read more)	Documentation
Lambda Permission Principal Is Wildcard ^{_{1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7}}	CloudFormation	Medium	Access Control	Lambda Permission Principal should not contain a wildcard. (read more)	Documentation
IAM Policies Attached To User ^{_{edc95c10-7366-4f30-9b4b-f995c84eceb5}}	CloudFormation	Medium	Access Control	IAM policies should be attached only to groups or roles (read more)	Documentation
API Gateway Without Configured Authorizer ^{_{7fd0d461-5b8c-4815-898c-f2b4b117eb28}}	CloudFormation	Medium	Access Control	API Gateway REST API should have an API Gateway Authorizer (read more)	Documentation
IoT Policy Allows Wildcard Resource ^{_{be5b230d-4371-4a28-a441-85dc760e2aa3}}	CloudFormation	Medium	Access Control	IoT Policy should not allow Resource to be set as * (read more)	Documentation
Neptune Cluster With IAM Database Authentication Disabled ^{_{a3aa0087-8228-4e7e-b202-dc9036972d02}}	CloudFormation	Medium	Access Control	Neptune Cluster should have IAM Database Authentication enabled (read more)	Documentation
SQS Queue Policy Allows NotAction ^{_{4fbfee74-8186-40d5-a24e-4baa76a855de}}	CloudFormation	Medium	Access Control	AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)	Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA ^{_{85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7}}	CloudFormation	Medium	Access Control	Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)	Documentation
SQS Queue Policy Allows NotPrincipal ^{_{4a8fc9a2-2b2f-4b3f-aa8d-401425872034}}	CloudFormation	Medium	Access Control	Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)	Documentation
S3 Bucket Allows Public ACL ^{_{48f100d9-f499-4c6d-b2b8-deafe47ffb26}}	CloudFormation	Medium	Access Control	S3 bucket allows public ACL (read more)	Documentation
ECR Repository Is Publicly Accessible ^{_{75be209d-1948-41f6-a8c8-e22dd0121134}}	CloudFormation	Medium	Access Control	Amazon ECR image repositories shouldn't have public access (read more)	Documentation
API Gateway Method Does Not Contains An API Key ^{_{3641d5b4-d339-4bc2-bfb9-208fe8d3477f}}	CloudFormation	Medium	Access Control	An API Key should be required on a method request. (read more)	Documentation
EBS Volume Not Attached To Instances ^{_{1819ac03-542b-4026-976b-f37addd59f3b}}	CloudFormation	Medium	Availability	EBS Volumes that are unattached to instances may contain sensitive data (read more)	Documentation
ElastiCache Nodes Not Created Across Multi AZ ^{_{cfdef2e5-1fe4-4ef4-bea8-c56e08963150}}	CloudFormation	Medium	Availability	ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)	Documentation
CMK Is Unusable ^{_{2844c749-bd78-4cd1-90e8-b179df827602}}	CloudFormation	Medium	Availability	AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)	Documentation
ECS Service Without Running Tasks ^{_{79d745f0-d5f3-46db-9504-bef73e9fd528}}	CloudFormation	Medium	Availability	ECS Service should have at least 1 task running (read more)	Documentation
Auto Scaling Group With No Associated ELB ^{_{ad21e616-5026-4b9d-990d-5b007bfe679c}}	CloudFormation	Medium	Availability	AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)	Documentation
RDS With Backup Disabled ^{_{8c415f6f-7b90-4a27-a44a-51047e1506f9}}	CloudFormation	Medium	Backup	Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)	Documentation
Stack Retention Disabled ^{_{fe974ae9-858e-4991-bbd5-e040a834679f}}	CloudFormation	Medium	Backup	Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)	Documentation
Low RDS Backup Retention Period ^{_{e649a218-d099-4550-86a4-1231e1fcb60d}}	CloudFormation	Medium	Backup	AWS RDS backup retention policy should be at least 7 days (read more)	Documentation
RDS Multi-AZ Deployment Disabled ^{_{2b1d4935-9acf-48a7-8466-10d18bf51a69}}	CloudFormation	Medium	Backup	AWS RDS Instance should have a multi-az deployment (read more)	Documentation
IAM Managed Policy Applied to a User ^{_{0e5872b4-19a0-4165-8b2f-56d9e14b909f}}	CloudFormation	Medium	Best Practices	Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)	Documentation
IAM Password Without Lowercase Letter ^{_{f4cf35d6-da92-48de-ab70-57be2b2e6497}}	CloudFormation	Medium	Best Practices	IAM Password should have at least one lowercase letter (read more)	Documentation
IAM Password Without Number ^{_{839f238f-2e3a-4a72-b945-8abdf91af955}}	CloudFormation	Medium	Best Practices	IAM user resource Login Profile Password should have at least one number (read more)	Documentation
IAM Password Without Minimum Length ^{_{b1b20ae3-8fa7-4af5-a74d-a2145920fcb1}}	CloudFormation	Medium	Best Practices	IAM password should have the required minimum length (read more)	Documentation
Cognito UserPool Without MFA ^{_{74a18d1a-cf02-4a31-8791-ed0967ad7fdc}}	CloudFormation	Medium	Best Practices	AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)	Documentation
IAM User Without Password Reset ^{_{a964d6e3-8e1e-4d93-8120-61fa640dd55a}}	CloudFormation	Medium	Best Practices	IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)	Documentation
IAM Password Without Symbol ^{_{d72a7869-e8b9-4e12-bcd2-e8be10b39fa7}}	CloudFormation	Medium	Best Practices	IAM password should have the required symbols (read more)	Documentation
IAM Password Without Uppercase Letter ^{_{445020f6-b69e-4484-847f-02d4b7768902}}	CloudFormation	Medium	Best Practices	IAM password should have at least one uppercase letter (read more)	Documentation
ECS No Load Balancer Attached ^{_{fb2b0ecf-1492-491a-a70d-ba1df579175d}}	CloudFormation	Medium	Best Practices	Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)	Documentation
ElasticSearch Not Encrypted At Rest ^{_{86a248ab-0e01-4564-a82a-878303e253bb}}	CloudFormation	Medium	Encryption	Check if ElasticSearch encryption is disabled at Rest (read more)	Documentation
RDS Storage Encryption Disabled ^{_{65844ba3-03a1-40a8-b3dd-919f122e8c95}}	CloudFormation	Medium	Encryption	RDS DBCluster should have storage encrypted set to true (read more)	Documentation
DynamoDB Table Not Encrypted ^{_{4bd21e68-38c1-4d58-acdc-6a14b203237f}}	CloudFormation	Medium	Encryption	AWS DynamoDB Tables should have server-side encryption (read more)	Documentation
Unscanned ECR Image ^{_{9025b2b3-e554-4842-ba87-db7aeec36d35}}	CloudFormation	Medium	Encryption	Checks if the ECR Image has been scanned (read more)	Documentation
KMS Key Rotation Disabled ^{_{235ca980-eb71-48f4-9030-df0c371029eb}}	CloudFormation	Medium	Encryption	EnableKeyRotation should not be false or undefined (read more)	Documentation
EMR Security Configuration Encryption Disabled ^{_{5b033ec8-f079-4323-b5c8-99d4620433a9}}	CloudFormation	Medium	Encryption	EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)	Documentation
Default KMS Key Usage ^{_{e52395b4-250b-4c60-81d5-2e58c1d37abc}}	CloudFormation	Medium	Encryption	When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)	Documentation
SageMaker EndPoint Config Should Specify KmsKeyId Attribute ^{_{44034eda-1c3f-486a-831d-e09a7dd94354}}	CloudFormation	Medium	Encryption	KmsKeyId attribute should be defined (read more)	Documentation
Workspace Without Encryption ^{_{89827c57-5a8a-49eb-9731-976a606d70db}}	CloudFormation	Medium	Encryption	Workspaces should have encryption enabled (read more)	Documentation
Memcached Disabled ^{_{dd0971a6-09c3-4168-8474-a7ef8fbfd99d}}	CloudFormation	Medium	Encryption	Check if the Memcached is disabled on the ElastiCache (read more)	Documentation
IAM Group Inline Policies ^{_{a58d1a2d-4078-4b80-855b-84cc3f7f4540}}	CloudFormation	Medium	Encryption	IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)	Documentation
AmazonMQ Broker Encryption Disabled ^{_{316278b3-87ac-444c-8f8f-a733a28da60f}}	CloudFormation	Medium	Encryption	AmazonMQ Broker should have Encryption Options defined (read more)	Documentation
ElasticSearch Encryption With KMS Disabled ^{_{d926aa95-0a04-4abc-b20c-acf54afe38a1}}	CloudFormation	Medium	Encryption	Check if any ElasticSearch domain isn't encrypted with KMS. (read more)	Documentation
SQS With SSE Disabled ^{_{12726829-93ed-4d51-9cbe-13423f4299e1}}	CloudFormation	Medium	Encryption	Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)	Documentation
Config Rule For Encrypted Volumes Disabled ^{_{1b6322d9-c755-4f8c-b804-32c19250f2d9}}	CloudFormation	Medium	Encryption	Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)	Documentation
EBS Volume Encryption Disabled ^{_{80b7ac3f-d2b7-4577-9b10-df7913497162}}	CloudFormation	Medium	Encryption	EBS volumes should be encrypted (read more)	Documentation
API Gateway With Invalid Compression ^{_{d6653eee-2d4d-4e6a-976f-6794a497999a}}	CloudFormation	Medium	Encryption	API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)	Documentation
CloudTrail Log Files Not Encrypted With KMS ^{_{050a9ba8-d1cb-4c61-a5e8-8805a70d3b85}}	CloudFormation	Medium	Encryption	Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)	Documentation
Neptune Database Cluster Encryption Disabled ^{_{bf4473f1-c8a2-4b1b-8134-bd32efabab93}}	CloudFormation	Medium	Encryption	Neptune database cluster storage should have encryption enabled (read more)	Documentation
CodeBuild Not Encrypted ^{_{d7467bb6-3ed1-4c82-8095-5e7a818d0aad}}	CloudFormation	Medium	Encryption	CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)	Documentation
Alexa Skill Plaintext Client Secret Exposed ^{_{3c3b7a58-b018-4d07-9444-d9ee7156e111}}	CloudFormation	Medium	Encryption	Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)	Documentation
IAM User Has Too Many Access Keys ^{_{48677914-6fdf-40ec-80c4-2b0e94079f54}}	CloudFormation	Medium	Insecure Configurations	Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)	Documentation
Inline Policies Are Attached To ECS Service ^{_{9e8c89b3-7997-4d15-93e4-7911b9db99fd}}	CloudFormation	Medium	Insecure Configurations	Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)	Documentation
API Gateway Without SSL Certificate ^{_{ed4c48b8-eccc-4881-95c1-09fdae23db25}}	CloudFormation	Medium	Insecure Configurations	SSL Client Certificate should be enabled (read more)	Documentation
EMR Cluster Without Security Configuration ^{_{48af92a5-c89b-4936-bc62-1086fe2bab23}}	CloudFormation	Medium	Insecure Configurations	EMR Cluster should have security configuration defined. (read more)	Documentation
Lambda Functions Without Unique IAM Roles ^{_{ae03f542-1423-402f-9cef-c834e7ee9583}}	CloudFormation	Medium	Insecure Configurations	AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)	Documentation
API Gateway With Open Access ^{_{1056dfbb-5802-4762-bf2b-8b9b9684b1b0}}	CloudFormation	Medium	Insecure Configurations	API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)	Documentation
ECR Image Tag Not Immutable ^{_{33f41d31-86b1-46a4-81f7-9c9a671f59ac}}	CloudFormation	Medium	Insecure Configurations	ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)	Documentation
Lambda Function Without Tags ^{_{8df8e857-bd59-44fa-9f4c-d77594b95b46}}	CloudFormation	Medium	Insecure Configurations	AWS Lambda Functions must have associated tags. (read more)	Documentation
SageMaker Enabling Internet Access ^{_{88d55d94-315d-4564-beee-d2d725feab11}}	CloudFormation	Medium	Insecure Configurations	SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)	Documentation
Instance With No VPC ^{_{8a6d36cd-0bc6-42b7-92c4-67acc8576861}}	CloudFormation	Medium	Insecure Configurations	EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)	Documentation
IAM User LoginProfile Password Is In Plaintext ^{_{06adef8c-c284-4de7-aad2-af43b07a8ca1}}	CloudFormation	Medium	Insecure Configurations	IAM User LoginProfile Password must not be a plaintext string (read more)	Documentation
MQ Broker Is Publicly Accessible ^{_{68b6a789-82f8-4cfd-85de-e95332fe6a61}}	CloudFormation	Medium	Insecure Configurations	Check if any MQ Broker is not publicly accessible (read more)	Documentation
GitHub Repository Set To Public ^{_{5906092d-5f74-490d-9a03-78febe0f65e1}}	CloudFormation	Medium	Insecure Configurations	Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)	Documentation
S3 Bucket Should Have Bucket Policy ^{_{37fa8188-738b-42c8-bf82-6334ea567738}}	CloudFormation	Medium	Insecure Defaults	Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)	Documentation
RouterTable with Default Routing ^{_{4f0908b9-eb66-433f-9145-134274e1e944}}	CloudFormation	Medium	Insecure Defaults	NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)	Documentation
EC2 Permissive Network ACL Protocols ^{_{03879981-efa2-47a0-a818-c843e1441b88}}	CloudFormation	Medium	Networking and Firewall	To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)	Documentation
ELB With Security Group Without Inbound Rules ^{_{e200a6f3-c589-49ec-9143-7421d4a2c845}}	CloudFormation	Medium	Networking and Firewall	An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)	Documentation
VPC Without Network Firewall ^{_{3e293410-d5b8-411f-85fd-7d26294f20c9}}	CloudFormation	Medium	Networking and Firewall	VPC should have a Network Firewall associated (read more)	Documentation
Security Group Egress With All Protocols ^{_{ee464fc2-54a6-4e22-b10a-c6dcd2474d0c}}	CloudFormation	Medium	Networking and Firewall	AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)	Documentation
Security Group Ingress With All Protocols ^{_{1a427b25-2e9e-4298-9530-0499a55e736b}}	CloudFormation	Medium	Networking and Firewall	AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)	Documentation
ELB With Security Group Without Outbound Rules ^{_{01d5a458-a6c4-452a-ac50-054d59275b7c}}	CloudFormation	Medium	Networking and Firewall	An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)	Documentation
API Gateway Endpoint Config is Not Private ^{_{4a8daf95-709d-4a36-9132-d3e19878fa34}}	CloudFormation	Medium	Networking and Firewall	The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)	Documentation
GameLift Fleet EC2 InboundPermissions With Port Range ^{_{43356255-495d-4148-ad8d-f6af5eac09dd}}	CloudFormation	Medium	Networking and Firewall	AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)	Documentation
Security Groups Without VPC Attached ^{_{493d9591-6249-47bf-8dc0-5c10161cc558}}	CloudFormation	Medium	Networking and Firewall	Security Groups must have a VPC. (read more)	Documentation
Security Group Ingress With Port Range ^{_{87482183-a8e7-4e42-a566-7a23ec231c16}}	CloudFormation	Medium	Networking and Firewall	AWS Security Group Ingress should have a single port (read more)	Documentation
API Gateway without WAF ^{_{fcbf9019-566c-4832-a65c-af00d8137d2b}}	CloudFormation	Medium	Networking and Firewall	API Gateway should have WAF (Web Application Firewall) enabled (read more)	Documentation
Security Group Egress CIDR Open To World ^{_{1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a}}	CloudFormation	Medium	Networking and Firewall	AWS Security Group Egress CIDR should not be open to the world (read more)	Documentation
Security Group Egress With Port Range ^{_{dae9c373-8287-462f-8746-6f93dad93610}}	CloudFormation	Medium	Networking and Firewall	AWS Security Group Egress should have a single port (read more)	Documentation
TCP/UDP Protocol Network ACL Entry Allows All Ports ^{_{f57f849c-883b-4cb7-85e7-f7b199dff163}}	CloudFormation	Medium	Networking and Firewall	TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)	Documentation
ALB Is Not Integrated With WAF ^{_{105ba098-1e34-48cd-b0f2-a8a43a51bf9b}}	CloudFormation	Medium	Networking and Firewall	All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)	Documentation
ELBv2 ALB Access Log Disabled ^{_{c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621}}	CloudFormation	Medium	Observability	ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)	Documentation
API Gateway X-Ray Disabled ^{_{4ab10c48-bedb-4deb-8f3b-ff12783b61de}}	CloudFormation	Medium	Observability	API Gateway should have X-Ray Tracing enabled (read more)	Documentation
Redshift Cluster Logging Disabled ^{_{3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6}}	CloudFormation	Medium	Observability	Make sure Logging is enabled for Redshift Cluster (read more)	Documentation
ELB Access Log Disabled ^{_{ee12ad32-2863-4c0f-b13f-28272d115028}}	CloudFormation	Medium	Observability	ELB should have access log enabled (read more)	Documentation
CloudWatch Metrics Disabled ^{_{5d3c1807-acb3-4bb0-be4e-0440230feeaf}}	CloudFormation	Medium	Observability	Checks if CloudWatch Metrics is Enabled (read more)	Documentation
S3 Bucket Without Versioning ^{_{a227ec01-f97a-4084-91a4-47b350c1db54}}	CloudFormation	Medium	Observability	S3 bucket should have versioning enabled (read more)	Documentation
Configuration Aggregator to All Regions Disabled ^{_{9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d}}	CloudFormation	Medium	Observability	AWS Config Configuration Aggregator All Regions must be set to True (read more)	Documentation
ElasticSearch Without Slow Logs ^{_{086ea2eb-14a6-4fd4-914b-38e0bc8703e8}}	CloudFormation	Medium	Observability	Ensure that AWS Elasticsearch enables support for slow logs (read more)	Documentation
S3 Bucket Logging Disabled ^{_{4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c}}	CloudFormation	Medium	Observability	Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)	Documentation
API Gateway Stage Access Logging Settings Not Defined ^{_{80d45af4-4920-4236-a56e-b7ef419d1941}}	CloudFormation	Medium	Observability	API Gateway Stage should have Access Logging Settings defined (read more)	Documentation
API Gateway Deployment Without Access Log Setting ^{_{06ec63e3-9f72-4fe2-a218-2eb9200b8db5}}	CloudFormation	Medium	Observability	API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)	Documentation
CloudWatch Logging Disabled ^{_{0f0fb06b-0f2f-4374-8588-f2c7c348c7a0}}	CloudFormation	Medium	Observability	Check if CloudWatch logging is disabled for Route53 hosted zones (read more)	Documentation
GuardDuty Detector Disabled ^{_{a25cd877-375c-4121-a640-730929936fac}}	CloudFormation	Medium	Observability	Make sure that Amazon GuardDuty is Enabled (read more)	Documentation
CloudFront Logging Disabled ^{_{de77cd9f-0e8b-46cc-b4a4-b6b436838642}}	CloudFormation	Medium	Observability	AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)	Documentation
MQ Broker Logging Disabled ^{_{e519ed6a-8328-4b69-8eb7-8fa549ac3050}}	CloudFormation	Medium	Observability	Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)	Documentation
CloudTrail Multi Region Disabled ^{_{058ac855-989f-4378-ba4d-52d004020da7}}	CloudFormation	Medium	Observability	CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)	Documentation
Stack Notifications Disabled ^{_{837e033c-4717-40bd-807e-6abaa30161b7}}	CloudFormation	Medium	Observability	AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)	Documentation
MSK Cluster Logging Disabled ^{_{fc7c2c15-f5d0-4b80-adb2-c89019f8f62b}}	CloudFormation	Medium	Observability	Ensure MSK Cluster Logging is enabled (read more)	Documentation
CloudTrail Not Integrated With CloudWatch ^{_{65d07da5-9af5-44df-8983-52d2e6f24c44}}	CloudFormation	Medium	Observability	CloudTrail should be integrated with CloudWatch (read more)	Documentation
CloudTrail SNS Topic Name Undefined ^{_{3e09413f-471e-40f3-8626-990c79ae63f3}}	CloudFormation	Medium	Observability	Check if SNS topic name is set for CloudTrail (read more)	Documentation
Elasticsearch Logs Disabled ^{_{edbd62d4-8700-41de-b000-b3cfebb5e996}}	CloudFormation	Medium	Observability	AWS Elasticsearch should have logs enabled (read more)	Documentation
EBS Volume Without KmsKeyId ^{_{b7063015-6c31-4658-a8e7-14f98f37fd42}}	CloudFormation	Medium	Secret Management	EBS Volume should specify a KmsKeyId value (read more)	Documentation
DMS Endpoint MongoDB Settings Password Exposed ^{_{f988a17f-1139-46a3-8928-f27eafd8b024}}	CloudFormation	Medium	Secret Management	DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)	Documentation
High Access Key Rotation Period ^{_{800fa019-49dd-421b-9042-7331fdd83fa2}}	CloudFormation	Medium	Secret Management	ConfigRule should enforce access keys to be rotated within 90 days. (read more)	Documentation
Secrets Manager Should Specify KmsKeyId ^{_{c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22}}	CloudFormation	Medium	Secret Management	Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)	Documentation
Amplify App Access Token Exposed ^{_{73980e43-f399-4fcc-a373-658228f7adf7}}	CloudFormation	Medium	Secret Management	Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)	Documentation
Directory Service Simple AD Password Exposed ^{_{6685d912-d81f-4cfa-95ad-e316ea31c989}}	CloudFormation	Medium	Secret Management	DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)	Documentation
Amplify App Basic Auth Config Password Exposed ^{_{71493c8b-3014-404c-9802-078b74496fb7}}	CloudFormation	Medium	Secret Management	Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)	Documentation
SNS Topic Without KmsMasterKeyId ^{_{9d13b150-a2ab-42a1-b6f4-142e41f81e52}}	CloudFormation	Medium	Secret Management	KmsMasterKeyId attribute should not be undefined (read more)	Documentation
Amplify Branch Basic Auth Config Password Exposed ^{_{dfb56e5d-ee68-446e-b32a-657b62befe69}}	CloudFormation	Medium	Secret Management	Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)	Documentation
Amplify App OAuth Token Exposed ^{_{03b38885-8f4e-480c-a0e4-12c1affd15db}}	CloudFormation	Medium	Secret Management	Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)	Documentation
DMS Endpoint Password Exposed ^{_{5f700072-b7ce-4e84-b3f3-497bf1c24a4d}}	CloudFormation	Medium	Secret Management	DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)	Documentation
Hardcoded AWS Access Key In Lambda ^{_{2564172f-c92b-4261-9acd-464aed511696}}	CloudFormation	Medium	Secret Management	Lambda access/secret keys should not be hardcoded (read more)	Documentation
DocDB Cluster Master Password In Plaintext ^{_{39423ce4-9011-46cd-b6b1-009edcd9385d}}	CloudFormation	Medium	Secret Management	DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)	Documentation
Directory Service Microsoft AD Password Set to Plaintext or Default Ref ^{_{06b9f52a-8cd5-459b-bdc6-21a22521e1be}}	CloudFormation	Medium	Secret Management	Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)	Documentation
RefreshToken Is Exposed ^{_{5b48c507-0d1f-41b0-a630-76817c6b4189}}	CloudFormation	Medium	Secret Management	Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)	Documentation
IAM Group Without Users ^{_{8f957abd-9703-413d-87d3-c578950a753c}}	CloudFormation	Low	Access Control	IAM Group should have at least one user associated (read more)	Documentation
IAM User With No Group ^{_{06933df4-0ea7-461c-b9b5-104d27390e0e}}	CloudFormation	Low	Access Control	A IAM user should belong to a group (read more)	Documentation
IAM Role Allows All Principals To Assume ^{_{f80e3aa7-7b34-4185-954e-440a6894dde6}}	CloudFormation	Low	Access Control	IAM role allows all services or principals to assume it (read more)	Documentation
EC2 Instance Using Default Security Group ^{_{08b81bb3-0985-4023-8602-b606ad81d279}}	CloudFormation	Low	Access Control	EC2 instances should not use default security group(s) (read more)	Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services ^{_{e835bd0d-65da-49f7-b6d1-b646da8727e6}}	CloudFormation	Low	Access Control	IAM Policy should not grant 'AssumeRole' permission across all services. (read more)	Documentation
Support Has No Role Associated ^{_{d71b5fd7-9020-4b2d-9ec8-b3839faa2744}}	CloudFormation	Low	Access Control	Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)	Documentation
VPC Attached With Too Many Gateways ^{_{97e94d17-e2c7-4109-a53b-6536ac1bb64e}}	CloudFormation	Low	Availability	The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)	Documentation
RDS DB Instance With Deletion Protection Disabled ^{_{2c161e58-cb52-454f-abea-6470c37b5e6e}}	CloudFormation	Low	Backup	RDS DBInstance should have deletion protection set to true (read more)	Documentation
CDN Configuration Is Missing ^{_{e4f54ff4-d352-40e8-a096-5141073c37a2}}	CloudFormation	Low	Best Practices	Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)	Documentation
Security Group Ingress Has CIDR Not Recommended ^{_{a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd}}	CloudFormation	Low	Best Practices	AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)	Documentation
Automatic Minor Upgrades Disabled ^{_{f0104061-8bfc-4b45-8a7d-630eb502f281}}	CloudFormation	Low	Best Practices	RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)	Documentation
Lambda Permission Misconfigured ^{_{9b83114b-b2a1-4534-990d-06da015e47aa}}	CloudFormation	Low	Best Practices	Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)	Documentation
IAM Access Analyzer Not Enabled ^{_{8d29754a-2a18-460d-a1ba-9509f8d359da}}	CloudFormation	Low	Best Practices	IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)	Documentation
Geo Restriction Disabled ^{_{7f8843f0-9ea5-42b4-a02b-753055113195}}	CloudFormation	Low	Best Practices	Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)	Documentation
IAM Policies Without Groups ^{_{5e7acff5-095b-40ac-9073-ac2e4ad8a512}}	CloudFormation	Low	Best Practices	IAM policy should not apply directly to users, should be with a group (read more)	Documentation
EFS Without Tags ^{_{08e39832-5e42-4304-98a0-aa5b43393162}}	CloudFormation	Low	Build Process	Amazon Elastic Filesystem should have filesystem tags associated (read more)	Documentation
DynamoDB With Not Recommented Table Billing Mode ^{_{c333e906-8d8b-4275-b999-78b6318f8dc6}}	CloudFormation	Low	Build Process	Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)	Documentation
S3 Bucket Without Ignore Public ACL ^{_{6c8d51af-218d-4bfb-94a9-94eabaa0703a}}	CloudFormation	Low	Insecure Configurations	S3 bucket without ignore public ACL (read more)	Documentation
API Gateway Cache Cluster Disabled ^{_{52790cad-d60d-41d5-8483-146f9f21208d}}	CloudFormation	Low	Insecure Configurations	AWS API Gateway should have cache clustering enabled (read more)	Documentation
Lambda Function Without Dead Letter Queue ^{_{c2eae442-d3ba-4cb1-84ca-1db4f80eae3d}}	CloudFormation	Low	Insecure Configurations	AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)	Documentation
Wildcard In ACM Certificate Domain Name ^{_{cc8b294f-006f-4f8f-b5bb-0a9140c33131}}	CloudFormation	Low	Insecure Configurations	ACM Certificate should not use wildcards (*) in the domain name (read more)	Documentation
Shield Advanced Not In Use ^{_{ad7444cf-817a-4765-a79e-2145f7981faf}}	CloudFormation	Low	Networking and Firewall	AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)	Documentation
EMR Without VPC ^{_{bf89373a-be40-4c04-99f5-746742dfd7f3}}	CloudFormation	Low	Networking and Firewall	Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)	Documentation
EC2 Instance Using Default VPC ^{_{e42a3ef0-5325-4667-84bf-075ba1c9d58e}}	CloudFormation	Low	Networking and Firewall	EC2 Instances should not be configured under a default VPC network (read more)	Documentation
EC2 Network ACL Duplicate Rule ^{_{045ddb54-cfc5-4abb-9e05-e427b2bc96fe}}	CloudFormation	Low	Networking and Firewall	A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)	Documentation
Redshift Using Default Port ^{_{a478af30-8c3a-404d-aa64-0b673cee509a}}	CloudFormation	Low	Networking and Firewall	Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)	Documentation
RDS Using Default Port ^{_{1fe9d958-ddce-4228-a124-05265a959a8b}}	CloudFormation	Low	Networking and Firewall	RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)	Documentation
ElastiCache Using Default Port ^{_{323db967-c68e-44e6-916c-a777f95af34b}}	CloudFormation	Low	Networking and Firewall	ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)	Documentation
CloudFront Without WAF ^{_{0f139403-303f-467c-96bd-e717e6cfd62d}}	CloudFormation	Low	Networking and Firewall	All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)	Documentation
ElastiCache Without VPC ^{_{ba766c53-fe71-4bbb-be35-b6803f2ef13e}}	CloudFormation	Low	Networking and Firewall	ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)	Documentation
CloudTrail Log File Validation Disabled ^{_{2a3560fe-52ca-4443-b34f-bf0ed5eb74c8}}	CloudFormation	Low	Observability	CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)	Documentation
VPC FlowLogs Disabled ^{_{f6d299d2-21eb-41cc-b1e1-fe12d857500b}}	CloudFormation	Low	Observability	Every VPC resource should have an associated Flow Log (read more)	Documentation
ECS Task Definition HealthCheck Missing ^{_{d24389b4-b209-4ff0-8345-dc7a4569dcdd}}	CloudFormation	Low	Observability	Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)	Documentation
Lambda Functions Without X-Ray Tracing ^{_{9488c451-074e-4cd3-aee3-7db6104f542c}}	CloudFormation	Low	Observability	AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)	Documentation
DocDB Logging Is Disabled ^{_{1bf3b3d4-f373-4d7c-afbb-7d85948a67a5}}	CloudFormation	Low	Observability	DocDB logging should be enabled (read more)	Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated ^{_{783860a3-6dca-4c8b-81d0-7b62769ccbca}}	CloudFormation	Low	Observability	API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)	Documentation
SDB Domain Declared As A Resource ^{_{6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d}}	CloudFormation	Low	Resource Management	SimpleDB Domain resource should not be declared (read more)	Documentation
ECS Task Definition Invalid CPU or Memory ^{_{f4c9b5f5-68b8-491f-9e48-4f96644a1d51}}	CloudFormation	Low	Resource Management	In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)	Documentation
API Gateway Stage Without API Gateway UsagePlan Associated ^{_{7f8f1b60-43df-4c28-aa21-fb836dbd8071}}	CloudFormation	Low	Resource Management	API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)	Documentation
VPC Without Attached Subnet ^{_{3b3b4411-ad1f-40e7-b257-a78a6bb9673a}}	CloudFormation	Low	Resource Management	VPCs without attached subnets may indicate that they are not being used (read more)	Documentation
EC2 Not EBS Optimized ^{_{8dd0ff1f-0da4-48df-9bb3-7f338ae36a40}}	CloudFormation	Info	Best Practices	It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)	Documentation
Security Group Rule Without Description ^{_{5e6c9c68-8a82-408e-8749-ddad78cbb9c5}}	CloudFormation	Info	Best Practices	It's considered a best practice for AWS Security Group to have a description (read more)	Documentation
EC2 Instance Monitoring Disabled ^{_{0264093f-6791-4475-af34-4b8102dcbcd0}}	CloudFormation	Info	Observability	EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)	Documentation
BOM - AWS MSK ^{_{2730c169-51d7-4ae7-99b5-584379eff1bb}}	CloudFormation	Trace	Bill Of Materials	A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)	Documentation
BOM - AWS RDS ^{_{6ef03ff6-a2bd-483c-851f-631f248bc0ea}}	CloudFormation	Trace	Bill Of Materials	A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)	Documentation
BOM - AWS EBS ^{_{0b0556ea-9cd9-476f-862e-20679dda752b}}	CloudFormation	Trace	Bill Of Materials	A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)	Documentation
BOM - AWS S3 Buckets ^{_{b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83}}	CloudFormation	Trace	Bill Of Materials	A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)	Documentation
BOM - AWS Elasticache ^{_{c689f51b-9203-43b3-9d8b-caed123f706c}}	CloudFormation	Trace	Bill Of Materials	A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)	Documentation
BOM - AWS DynamoDB ^{_{4e67c0ae-38a0-47f4-a50c-f0c9b75826df}}	CloudFormation	Trace	Bill Of Materials	A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)	Documentation
BOM - AWS MQ ^{_{209189f3-c879-48a7-9703-fbcfa96d0cef}}	CloudFormation	Trace	Bill Of Materials	A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)	Documentation
BOM - AWS Cassandra ^{_{124b173b-e06d-48a6-8acd-f889443d97a4}}	CloudFormation	Trace	Bill Of Materials	A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)	Documentation
BOM - AWS SNS ^{_{42e7dca3-8cce-4325-8df0-108888259136}}	CloudFormation	Trace	Bill Of Materials	A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)	Documentation
BOM - AWS EFS ^{_{ef05a925-8568-4054-8ff1-f5ba82631c16}}	CloudFormation	Trace	Bill Of Materials	A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)	Documentation
BOM - AWS SQS ^{_{59a849c2-1127-4023-85a5-ef906dcd458c}}	CloudFormation	Trace	Bill Of Materials	A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)	Documentation
BOM - AWS Kinesis ^{_{d53323be-dde6-4457-9a43-42df737e71d2}}	CloudFormation	Trace	Bill Of Materials	A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)	Documentation
Serverless Function Environment Variables Not Encrypted ^{_{a7f8ac28-eed1-483d-87c8-4c325f022572}}	CloudFormation	High	Encryption	AWS Serverless Function should encrypt environment variables (read more)	Documentation
Serverless API Without Content Encoding ^{_{a2f2800e-614b-4bc8-89e6-fec8afd24800}}	CloudFormation	Medium	Encryption	AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)	Documentation
Serverless Function Without Tags ^{_{a71ecabe-03b6-456a-b3bc-d1a39aa20c98}}	CloudFormation	Medium	Insecure Configurations	AWS Serverless Function should have associated tags (read more)	Documentation
Serverless Function Without Unique IAM Role ^{_{4ba74f01-aba5-4be2-83bc-be79ff1a3b92}}	CloudFormation	Medium	Insecure Configurations	AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)	Documentation
Serverless API Endpoint Config Not Private ^{_{6b5b0313-771b-4319-ad7a-122ee78700ef}}	CloudFormation	Medium	Networking and Firewall	AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)	Documentation
Serverless API X-Ray Tracing Disabled ^{_{c757c6a3-ac87-4b9d-b28d-e5a5add6a315}}	CloudFormation	Medium	Observability	AWS Serverless API should have X-Ray Tracing enabled (read more)	Documentation
Serverless API Access Logging Setting Undefined ^{_{0a994e04-c6dc-471d-817e-d37451d18a3b}}	CloudFormation	Medium	Observability	AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)	Documentation
Serverless API Cache Cluster Disabled ^{_{60a05ede-0a68-4d0d-a58f-f538cf55ff79}}	CloudFormation	Low	Insecure Configurations	AWS Serverless API should have cache clustering enabled (read more)	Documentation
Serverless Function Without Dead Letter Queue ^{_{cb2f612b-ed42-4ff5-9fb9-255c73d39a18}}	CloudFormation	Low	Insecure Configurations	AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)	Documentation
Serverless Function Without X-Ray Tracing ^{_{dc1ab429-1481-4540-9b1d-280e3f15f1f8}}	CloudFormation	Low	Observability	AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)	Documentation
UNIX Ports Out Of Range ^{_{71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e}}	Dockerfile	High	Availability	Exposing UNIX ports out of range from 0 to 65535 (read more)	Documentation
WORKDIR Path Not Absolute ^{_{6b376af8-cfe8-49ab-a08d-f32de23661a4}}	Dockerfile	High	Build Process	For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)	Documentation
COPY '--from' References Current FROM Alias ^{_{cdddb86f-95f6-4fc4-b5a1-483d9afceb2b}}	Dockerfile	High	Build Process	COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)	Documentation
Copy With More Than Two Arguments Not Ending With Slash ^{_{6db6e0c2-32a3-4a2e-93b5-72c35f4119db}}	Dockerfile	High	Build Process	When a COPY command has more than two arguments, the last one should end with a slash (read more)	Documentation
Same Alias In Different Froms ^{_{f2daed12-c802-49cd-afed-fe41d0b82fed}}	Dockerfile	High	Build Process	Different FROMS cant have the same alias defined (read more)	Documentation
Multiple ENTRYPOINT Instructions Listed ^{_{6938958b-3f1a-451c-909b-baeee14bdc97}}	Dockerfile	High	Build Process	There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)	Documentation
Missing User Instruction ^{_{fd54f200-402c-4333-a5a4-36ef6709af2f}}	Dockerfile	High	Build Process	A user should be specified in the dockerfile, otherwise the image will run as root (read more)	Documentation
Run Using Sudo ^{_{8ada6e80-0ade-439e-b176-0b28f6bce35a}}	Dockerfile	High	Insecure Configurations	Avoid RUN with sudo command as it leads to unpredictable behavior (read more)	Documentation
Vulnerable OpenSSL Version ^{_{5fa731ea-e844-47a6-a1e8-abc25e95847e}}	Dockerfile	High	Supply-Chain	OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)	Documentation
Changing Default Shell Using RUN Command ^{_{8a301064-c291-4b20-adcb-403fe7fd95fd}}	Dockerfile	Medium	Best Practices	Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)	Documentation
Last User Is 'root' ^{_{67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae}}	Dockerfile	Medium	Best Practices	Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)	Documentation
Multiple CMD Instructions Listed ^{_{41c195f4-fc31-4a5c-8a1b-90605538d49f}}	Dockerfile	Medium	Build Process	There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)	Documentation
Update Instruction Alone ^{_{9bae49be-0aa3-4de5-bab2-4c3a069e40cd}}	Dockerfile	Medium	Build Process	Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)	Documentation
Not Using JSON In CMD And ENTRYPOINT Arguments ^{_{b86987e1-6397-4619-81d5-8807f2387c79}}	Dockerfile	Medium	Build Process	Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)	Documentation
RUN Instruction Using 'cd' Instead of WORKDIR ^{_{f4a6bcd3-e231-4acf-993c-aa027be50d2e}}	Dockerfile	Medium	Build Process	When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)	Documentation
Shell Running A Pipe Without Pipefail Flag ^{_{efbf148a-67e9-42d2-ac47-02fa1c0d0b22}}	Dockerfile	Medium	Insecure Defaults	Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)	Documentation
Apt Get Install Pin Version Not Defined ^{_{965a08d7-ef86-4f14-8792-4a3b2098937e}}	Dockerfile	Medium	Supply-Chain	When installing a package, its pin version should be defined (read more)	Documentation
Missing Zypper Clean ^{_{38300d1a-feb2-4a48-936a-d1ef1cd24313}}	Dockerfile	Medium	Supply-Chain	Reduce layer and image size by deleting unneeded caches after running zypper (read more)	Documentation
APT-GET Missing '-y' To Avoid Manual Input ^{_{77783205-c4ca-4f80-bb80-c777f267c547}}	Dockerfile	Medium	Supply-Chain	Check if apt-get calls use the flag -y to avoid user manual input. (read more)	Documentation
Image Version Using 'latest' ^{_{f45ea400-6bbe-4501-9fc7-1c3d75c32067}}	Dockerfile	Medium	Supply-Chain	When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)	Documentation
Run Using apt ^{_{b84a0b47-2e99-4c9f-8933-98bcabe2b94d}}	Dockerfile	Medium	Supply-Chain	apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)	Documentation
Unpinned Package Version in Apk Add ^{_{d3499f6d-1651-41bb-a9a7-de925fea487b}}	Dockerfile	Medium	Supply-Chain	Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)	Documentation
Missing Version Specification In dnf install ^{_{93d88cf7-f078-46a8-8ddc-178e03aeacf1}}	Dockerfile	Medium	Supply-Chain	Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)	Documentation
Using Platform Flag with FROM Command ^{_{b16e8501-ef3c-44e1-a543-a093238099c9}}	Dockerfile	Medium	Supply-Chain	Don't use '--platform' flag with FROM (read more)	Documentation
Missing Zypper Non-interactive Switch ^{_{45e1fca5-f90e-465d-825f-c2cb63fa3944}}	Dockerfile	Medium	Supply-Chain	Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)	Documentation
NPM Install Command Without Pinned Version ^{_{e36d8880-3f78-4546-b9a1-12f0745ca0d5}}	Dockerfile	Medium	Supply-Chain	Check if packages installed by npm are pinning a specific version. (read more)	Documentation
Add Instead of Copy ^{_{9513a694-aa0d-41d8-be61-3271e056f36b}}	Dockerfile	Medium	Supply-Chain	Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)	Documentation
Yum Clean All Missing ^{_{00481784-25aa-4a55-8633-3136dfcf4f37}}	Dockerfile	Medium	Supply-Chain	Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)	Documentation
Pip install Keeping Cached Packages ^{_{f2f903fb-b977-461e-98d7-b3e2185c6118}}	Dockerfile	Medium	Supply-Chain	When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)	Documentation
Unpinned Package Version in Pip Install ^{_{02d9c71f-3ee8-4986-9c27-1a20d0d19bfc}}	Dockerfile	Medium	Supply-Chain	Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)	Documentation
Missing Dnf Clean All ^{_{295acb63-9246-4b21-b441-7c1f1fb62dc0}}	Dockerfile	Medium	Supply-Chain	Cached package data should be cleaned after installation to reduce image size (read more)	Documentation
Yum install Without Version ^{_{6452c424-1d92-4deb-bb18-a03e95d579c4}}	Dockerfile	Medium	Supply-Chain	Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)	Documentation
Missing Flag From Dnf Install ^{_{7ebd323c-31b7-4e5b-b26f-de5e9e477af8}}	Dockerfile	Medium	Supply-Chain	The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)	Documentation
Gem Install Without Version ^{_{22cd11f7-9c6c-4f6e-84c0-02058120b341}}	Dockerfile	Medium	Supply-Chain	Instead of 'gem install ' we should use 'gem install :' (read more)	Documentation
Image Version Not Explicit ^{_{9efb0b2d-89c9-41a3-91ca-dcc0aec911fd}}	Dockerfile	Medium	Supply-Chain	Always tag the version of an image explicitly (read more)	Documentation
Run Using 'wget' and 'curl' ^{_{fc775e75-fcfb-4c98-b2f2-910c5858b359}}	Dockerfile	Medium	Supply-Chain	Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)	Documentation
Yum Install Allows Manual Input ^{_{6e19193a-8753-436d-8a09-76dcff91bb03}}	Dockerfile	Medium	Supply-Chain	Need to use -y to avoid manual input 'yum install -y ' (read more)	Documentation
Zypper Install Without Version ^{_{562952e4-0348-4dea-9826-44f3a2c6117b}}	Dockerfile	Medium	Supply-Chain	Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)	Documentation
Chown Flag Exists ^{_{aa93e17f-b6db-4162-9334-c70334e7ac28}}	Dockerfile	Low	Best Practices	It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)	Documentation
Exposing Port 22 (SSH) ^{_{5907595b-5b6d-4142-b173-dbb0e73fbff8}}	Dockerfile	Low	Best Practices	Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)	Documentation
Curl or Wget Instead of Add ^{_{4b410d24-1cbe-4430-a632-62c9a931cf1c}}	Dockerfile	Low	Best Practices	Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)	Documentation
Multiple RUN, ADD, COPY, Instructions Listed ^{_{0008c003-79aa-42d8-95b8-1c2fe37dbfe6}}	Dockerfile	Low	Best Practices	Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)	Documentation
MAINTAINER Instruction Being Used ^{_{99614418-f82b-4852-a9ae-5051402b741c}}	Dockerfile	Low	Best Practices	The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)	Documentation
Using Unnamed Build Stages ^{_{68a51e22-ae5a-4d48-8e87-b01a323605c9}}	Dockerfile	Low	Build Process	This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)	Documentation
Healthcheck Instruction Missing ^{_{b03a748a-542d-44f4-bb86-9199ab4fd2d5}}	Dockerfile	Low	Insecure Configurations	Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)	Documentation
Apk Add Using Local Cache Path ^{_{ae9c56a6-3ed1-4ac0-9b54-31267f51151d}}	Dockerfile	Info	Supply-Chain	When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)	Documentation
Apt Get Install Lists Were Not Deleted ^{_{df746b39-6564-4fed-bf85-e9c44382303c}}	Dockerfile	Info	Supply-Chain	After using apt-get install, it is needed to delete apt-get lists (read more)	Documentation
Run Utilities And POSIX Commands ^{_{9b6b0f38-92a2-41f9-b881-3a1083d99f1b}}	Dockerfile	Info	Supply-Chain	Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)	Documentation
APT-GET Not Avoiding Additional Packages ^{_{7384dfb2-fcd1-4fbf-91cd-6c44c318c33c}}	Dockerfile	Info	Supply-Chain	Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)	Documentation
RBAC Wildcard In Rule ^{_{6b896afb-ca07-467a-b256-1a0077a1c08e}}	Kubernetes	High	Access Control	Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)	Documentation
Service Account Lookup Set To False ^{_{a5530bd7-225a-48f9-91bb-f40b04200165}}	Kubernetes	High	Access Control	When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)	Documentation
Always Admit Admission Control Plugin Set ^{_{ce30e584-b33f-4c7d-b418-a3d7027f8f60}}	Kubernetes	High	Access Control	When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)	Documentation
Token Auth File Is Set ^{_{32ecd76e-7bbf-402e-bf48-8b9485749558}}	Kubernetes	High	Access Control	When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)	Documentation
Client Certificate Authentication Not Setup Properly ^{_{e0e00aba-5f1c-4981-a542-9a9563c0ee20}}	Kubernetes	High	Access Control	Client Certificate Authentication should be Setup with a .pem or .crt file (read more)	Documentation
Use Service Account Credentials Not Set To True ^{_{1acd93f1-5a37-45c0-aaac-82ece818be7d}}	Kubernetes	High	Access Control	When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)	Documentation
Node Restriction Admission Control Plugin Not Set ^{_{33fc6923-6553-4fe6-9d3a-4efa51eb874b}}	Kubernetes	High	Access Control	When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)	Documentation
Basic Auth File Is Set ^{_{5da47109-f8d6-4585-9e2b-96a8958a12f5}}	Kubernetes	High	Access Control	When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)	Documentation
Pod Security Policy Admission Control Plugin Not Set ^{_{afa36afb-39fe-4d94-b9b6-afb236f7a03d}}	Kubernetes	High	Build Process	When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)	Documentation
Service Account Private Key File Not Defined ^{_{ccc98ff7-68a7-436e-9218-185cb0b0b780}}	Kubernetes	High	Encryption	When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)	Documentation
Tiller Service Is Not Deleted ^{_{8b862ca9-0fbd-4959-ad72-b6609bdaa22d}}	Kubernetes	High	Insecure Configurations	Check if there is any Tiller Service present (read more)	Documentation
Privilege Escalation Allowed ^{_{5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d}}	Kubernetes	High	Insecure Configurations	Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)	Documentation
Cluster Allows Unsafe Sysctls ^{_{9127f0d9-2310-42e7-866f-5fd9d20dcbad}}	Kubernetes	High	Insecure Configurations	A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)	Documentation
PSP Allows Containers To Share The Host Network Namespace ^{_{a33e9173-b674-4dfb-9d82-cf3754816e4b}}	Kubernetes	High	Insecure Configurations	Check if Pod Security Policies allow containers to share the host network namespace. (read more)	Documentation
Tiller (Helm v2) Is Deployed ^{_{6d173be7-545a-46c6-a81d-2ae52ed1605d}}	Kubernetes	High	Insecure Configurations	Check if Tiller is deployed. (read more)	Documentation
Not Limited Capabilities For Pod Security Policy ^{_{caa93370-791f-4fc6-814b-ba6ce0cb4032}}	Kubernetes	High	Insecure Configurations	Limit capabilities for a Pod Security Policy (read more)	Documentation
Container Is Privileged ^{_{dd29336b-fe57-445b-a26e-e6aa867ae609}}	Kubernetes	High	Insecure Configurations	Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)	Documentation
Shared Host PID Namespace ^{_{302736f4-b16c-41b8-befe-c0baffa0bd9d}}	Kubernetes	High	Insecure Configurations	Container should not share the host process ID namespace (read more)	Documentation
Role Binding To Default Service Account ^{_{1e749bc9-fde8-471c-af0c-8254efd2dee5}}	Kubernetes	High	Insecure Defaults	No role nor cluster role should bind to a default service account (read more)	Documentation
Kubelet HTTPS Set To False ^{_{cdc8b54e-6b16-4538-a1b0-35849dbe29cf}}	Kubernetes	High	Networking and Firewall	When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)	Documentation
Secure Port Set To Zero ^{_{3d24b204-b73d-42cb-b0bf-1a5438c5f71e}}	Kubernetes	High	Networking and Firewall	When using kube-apiserver command, the --secure-port flag should not be 0 (read more)	Documentation
Tiller Deployment Is Accessible From Within The Cluster ^{_{e17fa86a-6222-4584-a914-56e8f6c87e06}}	Kubernetes	High	Networking and Firewall	Check if any Tiller Deployment container allows access from within the cluster. (read more)	Documentation
Etcd Peer TLS Certificate Files Not Properly Set ^{_{09bb9e96-8da3-4736-b89a-b36814acca60}}	Kubernetes	High	Networking and Firewall	When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)	Documentation
Etcd TLS Certificate Not Properly Configured ^{_{895a5a95-3756-4b04-9924-2f3bc93181bd}}	Kubernetes	High	Networking and Firewall	When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)	Documentation
TSL Connection Certificate Not Setup ^{_{fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f}}	Kubernetes	High	Networking and Firewall	TSL Connection Certificate files should be Setup (read more)	Documentation
Etcd TLS Certificate Files Not Properly Set ^{_{075ca296-6768-4322-aea2-ba5063b969a9}}	Kubernetes	High	Networking and Firewall	When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)	Documentation
Bind Address Not Properly Set ^{_{46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2}}	Kubernetes	High	Networking and Firewall	When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)	Documentation
Insecure Port Not Properly Set ^{_{fa4def8c-1898-4a35-a139-7b76b1acdef0}}	Kubernetes	High	Networking and Firewall	When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)	Documentation
Insecure Bind Address Set ^{_{b9380fd3-5ffe-4d10-9290-13e18e71eee1}}	Kubernetes	High	Networking and Firewall	When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)	Documentation
PSP With Unrestricted Access to Host Path ^{_{de4421f1-4e35-43b4-9783-737dd4e4a47e}}	Kubernetes	High	Resource Management	PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)	Documentation
Auto TLS Set To True ^{_{98ce8b81-7707-4734-aa39-627c6db3d84b}}	Kubernetes	High	Secret Management	When using etcd commands, the '--auto-tls' should be set to false (read more)	Documentation
Peer Auto TLS Set To True ^{_{ae8827e2-4af9-4baa-9998-87539ae0d6f0}}	Kubernetes	High	Secret Management	When using etcd commands, the '--peer-auto-tls' should be set to false (read more)	Documentation
Authorization Mode Set To Always Allow ^{_{f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5}}	Kubernetes	Medium	Access Control	When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)	Documentation
Anonymous Auth Is Not Set To False ^{_{1de5cc51-f376-4638-a940-20f2e85ae238}}	Kubernetes	Medium	Access Control	When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)	Documentation
Permissive Access to Create Pods ^{_{592ad21d-ad9b-46c6-8d2d-fad09d62a942}}	Kubernetes	Medium	Access Control	The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)	Documentation
RBAC Roles Allow Privilege Escalation ^{_{8320826e-7a9c-4b0b-9535-578333193432}}	Kubernetes	Medium	Access Control	Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)	Documentation
RBAC Roles with Exec Permission ^{_{c589f42c-7924-4871-aee2-1cede9bc7cbc}}	Kubernetes	Medium	Access Control	Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)	Documentation
Authorization Mode RBAC Not Set ^{_{1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e}}	Kubernetes	Medium	Access Control	When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)	Documentation
Service Account Admission Control Plugin Disabled ^{_{9587c890-0524-40c2-9ce2-663af7c2f063}}	Kubernetes	Medium	Access Control	When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)	Documentation
RBAC Roles with Impersonate Permission ^{_{9f85c3f6-26fd-4007-938a-2e0cb0100980}}	Kubernetes	Medium	Access Control	Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)	Documentation
RBAC Roles with Port-Forwarding Permission ^{_{38fa11ef-dbcc-4da8-9680-7e1fd855b6fb}}	Kubernetes	Medium	Access Control	Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)	Documentation
RBAC Roles with Attach Permission ^{_{d45330fd-f58d-45fb-a682-6481477a0f84}}	Kubernetes	Medium	Access Control	Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)	Documentation
Non Kube System Pod With Host Mount ^{_{aa8f7a35-9923-4cad-bd61-a19b7f6aac91}}	Kubernetes	Medium	Access Control	A non kube-system workload should not have hostPath mounted (read more)	Documentation
RBAC Roles with Read Secrets Permissions ^{_{b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14}}	Kubernetes	Medium	Access Control	Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)	Documentation
Request Timeout Not Properly Set ^{_{d89a15bb-8dba-4c71-9529-bef6729b9c09}}	Kubernetes	Medium	Availability	When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)	Documentation
Readiness Probe Is Not Configured ^{_{a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3}}	Kubernetes	Medium	Availability	Check if Readiness Probe is not configured. (read more)	Documentation
Terminated Pod Garbage Collector Threshold Not Properly Set ^{_{49113af4-29ca-458e-b8d4-724c01a4a24f}}	Kubernetes	Medium	Availability	When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)	Documentation
Container Running As Root ^{_{cf34805e-3872-4c08-bf92-6ff7bb0cfadb}}	Kubernetes	Medium	Best Practices	Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)	Documentation
Container Running With Low UID ^{_{02323c00-cdc3-4fdc-a310-4f2b3e7a1660}}	Kubernetes	Medium	Best Practices	Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)	Documentation
Root Containers Admitted ^{_{e3aa0612-4351-4a0d-983f-aefea25cf203}}	Kubernetes	Medium	Best Practices	Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)	Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce ^{_{3878dc92-8e5d-47cf-9cdd-7590f71d21b9}}	Kubernetes	Medium	Build Process	Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)	Documentation
Always Pull Images Admission Control Plugin Not Set ^{_{a77f4d07-c6e0-4a48-8b35-0eeb51576f4f}}	Kubernetes	Medium	Build Process	When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)	Documentation
Weak TLS Cipher Suites ^{_{510d5810-9a30-443a-817d-5c1fa527b110}}	Kubernetes	Medium	Encryption	TLS Connection should use strong Cipher Suites (read more)	Documentation
Encryption Provider Config Is Not Defined ^{_{cbd2db69-0b21-4c14-8a40-7710a50571a9}}	Kubernetes	Medium	Encryption	When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)	Documentation
Encryption Provider Not Properly Configured ^{_{10efce34-5af6-4d83-b414-9e096d5a06a9}}	Kubernetes	Medium	Encryption	The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)	Documentation
Root CA File Not Defined ^{_{05fb986f-ac73-4ebb-a5b2-7faafa93d882}}	Kubernetes	Medium	Encryption	When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)	Documentation
Seccomp Profile Is Not Configured ^{_{f377b83e-bd07-4f48-a591-60c82b14a78b}}	Kubernetes	Medium	Insecure Configurations	Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)	Documentation
NET_RAW Capabilities Not Being Dropped ^{_{dbbc6705-d541-43b0-b166-dd4be8208b54}}	Kubernetes	Medium	Insecure Configurations	Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)	Documentation
PSP Allows Sharing Host PID ^{_{91dacd0e-d189-4a9c-8272-5999a3cc32d9}}	Kubernetes	Medium	Insecure Configurations	Pod Security Policy allows containers to share the host process ID namespace (read more)	Documentation
PSP With Added Capabilities ^{_{7307579a-3abb-46ad-9ce5-2a915634d5c8}}	Kubernetes	Medium	Insecure Configurations	PodSecurityPolicy should not have added capabilities (read more)	Documentation
Not Limited Capabilities For Container ^{_{2f1a0619-b12b-48a0-825f-993bb6f01d58}}	Kubernetes	Medium	Insecure Configurations	Limit the capabilities for a Container. (read more)	Documentation
PSP Allows Privilege Escalation ^{_{87554eef-154d-411d-bdce-9dbd91e56851}}	Kubernetes	Medium	Insecure Configurations	PodSecurityPolicy should not allow privilege escalation (read more)	Documentation
Container Runs Unmasked ^{_{f922827f-aab6-447c-832a-e1ff63312bd3}}	Kubernetes	Medium	Insecure Configurations	Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)	Documentation
Authorization Mode Node Not Set ^{_{4d7ee40f-fc5d-427d-8cac-dffbe22d42d1}}	Kubernetes	Medium	Insecure Configurations	When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)	Documentation
Kubelet Protect Kernel Defaults Set To False ^{_{6cf42c97-facd-4fda-b8af-ea4529123355}}	Kubernetes	Medium	Insecure Configurations	--protect-kernel-defaults should be set to true (read more)	Documentation
Containers With Added Capabilities ^{_{19ebaa28-fc86-4a58-bcfa-015c9e22fe40}}	Kubernetes	Medium	Insecure Configurations	Containers should not have extra capabilities allowed (read more)	Documentation
Using Unrecommended Namespace ^{_{611ab018-c4aa-4ba2-b0f6-a448337509a6}}	Kubernetes	Medium	Insecure Configurations	Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)	Documentation
PSP Allows Sharing Host IPC ^{_{80f93444-b240-4ebb-a4c6-5c40b76c04ea}}	Kubernetes	Medium	Insecure Configurations	Pod Security Policy allows containers to share the host IPC namespace (read more)	Documentation
Ingress Controller Exposes Workload ^{_{69bbc5e3-0818-4150-89cc-1e989b48f23b}}	Kubernetes	Medium	Insecure Configurations	Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)	Documentation
PSP Set To Privileged ^{_{c48e57d3-d642-4e0b-90db-37f807b41b91}}	Kubernetes	Medium	Insecure Configurations	Do not allow pod to request execution as privileged. (read more)	Documentation
Workload Mounting With Sensitive OS Directory ^{_{5308a7a8-06f8-45ac-bf10-791fe21de46e}}	Kubernetes	Medium	Insecure Configurations	Workload is mounting a volume with sensitive OS Directory (read more)	Documentation
Security Context Deny Admission Control Plugin Not Set ^{_{6a68bebe-c021-492e-8ddb-55b0567fb768}}	Kubernetes	Medium	Insecure Configurations	When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)	Documentation
Containers With Sys Admin Capabilities ^{_{235236ee-ad78-4065-bd29-61b061f28ce0}}	Kubernetes	Medium	Insecure Configurations	Containers should not have CAP_SYS_ADMIN Linux capability (read more)	Documentation
NET_RAW Capabilities Disabled for PSP ^{_{2270987f-bb51-479f-b8be-3ca73e5ad648}}	Kubernetes	Medium	Insecure Configurations	Containers need to have NET_RAW or All as drop capabilities (read more)	Documentation
Service Account Token Automount Not Disabled ^{_{48471392-d4d0-47c0-b135-cdec95eb3eef}}	Kubernetes	Medium	Insecure Defaults	Service Account Tokens are automatically mounted even if not necessary (read more)	Documentation
Service Account Name Undefined Or Empty ^{_{591ade62-d6b0-4580-b1ae-209f80ba1cd9}}	Kubernetes	Medium	Insecure Defaults	A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)	Documentation
CNI Plugin Does Not Support Network Policies ^{_{03aabc8c-35d6-481e-9c85-20139cf72d23}}	Kubernetes	Medium	Networking and Firewall	Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)	Documentation
Network Policy Is Not Targeting Any Pod ^{_{85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3}}	Kubernetes	Medium	Networking and Firewall	Check if any network policy is not targeting any pod. (read more)	Documentation
Service With External Load Balancer ^{_{26763a1c-5dda-4772-b507-5fca7fb5f165}}	Kubernetes	Medium	Networking and Firewall	Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)	Documentation
Pod Misconfigured Network Policy ^{_{0401f71b-9c1e-4821-ab15-a955caa621be}}	Kubernetes	Medium	Networking and Firewall	Check if any pod is not being targeted by a proper network policy. (read more)	Documentation
Kubelet Streaming Connection Timeout Disabled ^{_{ed89b97d-04e9-4fd4-919f-ee5b27e555e9}}	Kubernetes	Medium	Networking and Firewall	The flag --streaming-connection-idle-timeout should not be set to 0 (read more)	Documentation
Kubelet Not Managing Ip Tables ^{_{5f89001f-6dd9-49ff-9b15-d8cd71b617f4}}	Kubernetes	Medium	Networking and Firewall	Kubelet argument --make-iptables-util-chains should be true (read more)	Documentation
Kubelet Read Only Port Is Not Set To Zero ^{_{2940d48a-dc5e-4178-a3f8-bfbd80720b41}}	Kubernetes	Medium	Networking and Firewall	When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)	Documentation
Audit Log Path Not Set ^{_{73e251f0-363d-4e53-86e2-0a93592437eb}}	Kubernetes	Medium	Observability	When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)	Documentation
Audit Policy File Not Defined ^{_{13a49a2e-488e-4309-a7c0-d6b05577a5fb}}	Kubernetes	Medium	Observability	When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)	Documentation
Shared Host Network Namespace ^{_{6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a}}	Kubernetes	Medium	Resource Management	Container should not share the host network namespace (read more)	Documentation
Memory Limits Not Defined ^{_{b14d1bc4-a208-45db-92f0-e21f8e2588e9}}	Kubernetes	Medium	Resource Management	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)	Documentation
Volume Mount With OS Directory Write Permissions ^{_{b7652612-de4e-4466-a0bf-1cd81f0c6063}}	Kubernetes	Medium	Resource Management	Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)	Documentation
Memory Requests Not Defined ^{_{229588ef-8fde-40c8-8756-f4f2b5825ded}}	Kubernetes	Medium	Resource Management	Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)	Documentation
CPU Limits Not Set ^{_{4ac0e2b7-d2d2-4af7-8799-e8de6721ccda}}	Kubernetes	Medium	Resource Management	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)	Documentation
CPU Requests Not Set ^{_{ca469dd4-c736-448f-8ac1-30a642705e0a}}	Kubernetes	Medium	Resource Management	CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)	Documentation
Shared Host IPC Namespace ^{_{cd290efd-6c82-4e9d-a698-be12ae31d536}}	Kubernetes	Medium	Resource Management	Container should not share the host IPC namespace (read more)	Documentation
Etcd Client Certificate File Not Defined ^{_{3f5ff8a7-5ad6-4d02-86f5-666307da1b20}}	Kubernetes	Medium	Secret Management	When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)	Documentation
ServiceAccount Allows Access Secrets ^{_{056ac60e-fe07-4acc-9b34-8e1d51716ab9}}	Kubernetes	Medium	Secret Management	Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)	Documentation
Kubelet Client Periodic Certificate Switch Disabled ^{_{52d70f2e-3257-474c-b3dc-8ad9ba6a061a}}	Kubernetes	Medium	Secret Management	Kubelet argument --rotate-certificates should be true (read more)	Documentation
Etcd Client Certificate Authentication Set To False ^{_{9391103a-d8d7-4671-ac5d-606ba7ccb0ac}}	Kubernetes	Medium	Secret Management	When using etcd commands, the '--client-cert-auth' flag should be defined (read more)	Documentation
Service Account Key File Not Properly Set ^{_{dab4ec72-ce2e-4732-b7c3-1757dcce01a1}}	Kubernetes	Medium	Secret Management	When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)	Documentation
Rotate Kubelet Server Certificate Not Active ^{_{1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2}}	Kubernetes	Medium	Secret Management	The RotateKubeletServerCertificate argument should be true (read more)	Documentation
Kubelet Client Certificate Or Key Not Set ^{_{36a27826-1bf5-49da-aeb0-a60a30c0e834}}	Kubernetes	Medium	Secret Management	When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)	Documentation
Not Unique Certificate Authority ^{_{cb7e695d-6a85-495c-b15f-23aed2519303}}	Kubernetes	Medium	Secret Management	Certificate Authority should be unique for etcd (read more)	Documentation
Etcd Peer Client Certificate Authentication Set To False ^{_{b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff}}	Kubernetes	Medium	Secret Management	When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)	Documentation
Kubelet Certificate Authority Not Set ^{_{ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0}}	Kubernetes	Medium	Secret Management	When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)	Documentation
Shared Service Account ^{_{c1032cf7-3628-44e2-bd53-38c17cf31b6b}}	Kubernetes	Medium	Secret Management	A Service Account token is shared between workloads (read more)	Documentation
Cluster Admin Rolebinding With Superuser Permissions ^{_{249328b8-5f0f-409f-b1dd-029f07882e11}}	Kubernetes	Low	Access Control	Ensure that the cluster-admin role is only used where required (RBAC) (read more)	Documentation
Docker Daemon Socket is Exposed to Containers ^{_{a6f34658-fdfb-4154-9536-56d516f65828}}	Kubernetes	Low	Access Control	Sees if Docker Daemon Socket is not exposed to Containers (read more)	Documentation
Missing AppArmor Profile ^{_{8b36775e-183d-4d46-b0f7-96a6f34a723f}}	Kubernetes	Low	Access Control	Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)	Documentation
Liveness Probe Is Not Defined ^{_{ade74944-a674-4e00-859e-c6eab5bde441}}	Kubernetes	Low	Availability	In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)	Documentation
Deployment Without PodDisruptionBudget ^{_{b23e9b98-0cb6-4fc9-b257-1f3270442678}}	Kubernetes	Low	Availability	Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)	Documentation
Event Rate Limit Admission Control Plugin Not Set ^{_{e0099af2-fe17-411f-9991-0de28fe15f3c}}	Kubernetes	Low	Availability	When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)	Documentation
HPA Targets Invalid Object ^{_{2f652c42-619d-4361-b361-9f599688f8ca}}	Kubernetes	Low	Availability	The Horizontal Pod Autoscaler must target a valid object (read more)	Documentation
StatefulSet Without Service Name ^{_{bb241e61-77c3-4b97-9575-c0f8a1e008d0}}	Kubernetes	Low	Availability	StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)	Documentation
HPA Targeted Deployments With Configured Replica Count ^{_{5744cbb8-5946-4b75-a196-ade44449525b}}	Kubernetes	Low	Availability	Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)	Documentation
StatefulSet Without PodDisruptionBudget ^{_{1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5}}	Kubernetes	Low	Availability	StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)	Documentation
No Drop Capabilities for Containers ^{_{268ca686-7fb7-4ae9-b129-955a2a89064e}}	Kubernetes	Low	Best Practices	Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)	Documentation
Object Is Using A Deprecated API Version ^{_{94b76ea5-e074-4ca2-8a03-c5a606e30645}}	Kubernetes	Low	Best Practices	Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)	Documentation
Metadata Label Is Invalid ^{_{1123031a-f921-4c5b-bd86-ef354ecfd37a}}	Kubernetes	Low	Best Practices	Check if any label in the metadata is invalid. (read more)	Documentation
Namespace Lifecycle Admission Control Plugin Disabled ^{_{1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37}}	Kubernetes	Low	Build Process	When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)	Documentation
Image Policy Webhook Admission Control Plugin Not Set ^{_{14abda69-8e91-4acb-9931-76e2bee90284}}	Kubernetes	Low	Build Process	When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)	Documentation
StatefulSet Requests Storage ^{_{8cf4671a-cf3d-46fc-8389-21e7405063a2}}	Kubernetes	Low	Build Process	A StatefulSet requests volume storage. (read more)	Documentation
Root Container Not Mounted Read-only ^{_{a9c2f49d-0671-4fc9-9ece-f4e261e128d0}}	Kubernetes	Low	Build Process	Check if the root container filesystem is not being mounted read-only. (read more)	Documentation
Pod or Container Without Security Context ^{_{a97a340a-0063-418e-b3a1-3028941d0995}}	Kubernetes	Low	Insecure Configurations	A security context defines privilege and access control settings for a Pod or Container (read more)	Documentation
Kubelet Hostname Override Is Set ^{_{bf36b900-b5ef-4828-adb7-70eb543b7cfb}}	Kubernetes	Low	Insecure Configurations	Hostnames should not be overrided (read more)	Documentation
Pod or Container Without ResourceQuota ^{_{48a5beba-e4c0-4584-a2aa-e6894e4cf424}}	Kubernetes	Low	Insecure Configurations	Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)	Documentation
Dashboard Is Enabled ^{_{d2ad057f-0928-41ef-a83c-f59203bb855b}}	Kubernetes	Low	Insecure Configurations	If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)	Documentation
Pod or Container Without LimitRange ^{_{4a20ebac-1060-4c81-95d1-1f7f620e983b}}	Kubernetes	Low	Insecure Configurations	Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)	Documentation
Service Does Not Target Pod ^{_{3ca03a61-3249-4c16-8427-6f8e47dda729}}	Kubernetes	Low	Insecure Configurations	Service should Target a Pod (read more)	Documentation
Image Without Digest ^{_{7c81d34c-8e5a-402b-9798-9f442630e678}}	Kubernetes	Low	Insecure Configurations	Images should be specified together with their digests to ensure integrity (read more)	Documentation
Image Pull Policy Of The Container Is Not Set To Always ^{_{caa3479d-885d-4882-9aac-95e5e78ef5c2}}	Kubernetes	Low	Insecure Configurations	Image Pull Policy of the container must be defined and set to Always (read more)	Documentation
Service Type is NodePort ^{_{845acfbe-3e10-4b8e-b656-3b404d36dfb2}}	Kubernetes	Low	Networking and Firewall	Service type should not be NodePort (read more)	Documentation
Workload Host Port Not Specified ^{_{2b1836f1-dcce-416e-8e16-da8c71920633}}	Kubernetes	Low	Networking and Firewall	Verifies if Kubernetes workload's host port is specified (read more)	Documentation
Audit Policy Not Cover Key Security Concerns ^{_{1828a670-5957-4bc5-9974-47da228f75e2}}	Kubernetes	Low	Observability	Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)	Documentation
Audit Log Maxsize Not Properly Set ^{_{35c0a471-f7c8-4993-aa2c-503a3c712a66}}	Kubernetes	Low	Observability	When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)	Documentation
Audit Log Maxbackup Not Properly Set ^{_{768aab52-2504-4a2f-a3e3-329d5a679848}}	Kubernetes	Low	Observability	When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)	Documentation
Kubelet Event QPS Not Properly Set ^{_{1a07a446-8e61-4e4d-bc16-b0781fcb8211}}	Kubernetes	Low	Observability	When using the kubelet command, the '--event-qps' should be set to 0 (read more)	Documentation
Audit Log Maxage Not Properly Set ^{_{da9f3aa8-fbfb-472f-b5a1-576127944218}}	Kubernetes	Low	Observability	When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)	Documentation
Profiling Not Set To False ^{_{2f491173-6375-4a84-b28e-a4e2b9a58a69}}	Kubernetes	Low	Observability	When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)	Documentation
Container Memory Requests Not Equal To It's Limits ^{_{aafa7d94-62de-4fbf-8838-b69ee217b0e6}}	Kubernetes	Low	Resource Management	A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)	Documentation
Deployment Has No PodAntiAffinity ^{_{a31b7b82-d994-48c4-bd21-3bab6c31827a}}	Kubernetes	Low	Resource Management	Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)	Documentation
Container CPU Requests Not Equal To It's Limits ^{_{9d43040e-e703-4e16-8bfe-8d4da10fa7e6}}	Kubernetes	Low	Resource Management	A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)	Documentation
Container Requests Not Equal To It's Limits ^{_{aee3c7d2-a811-4201-90c7-11c028be9a46}}	Kubernetes	Low	Resource Management	Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)	Documentation
StatefulSet Has No PodAntiAffinity ^{_{d740d048-8ed3-49d3-b77b-6f072f3b669e}}	Kubernetes	Low	Resource Management	Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)	Documentation
CronJob Deadline Not Configured ^{_{192fe40b-b1c3-448a-aba2-6cc19a300fe3}}	Kubernetes	Low	Resource Management	Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)	Documentation
Secrets As Environment Variables ^{_{3d658f8b-d988-41a0-a841-40043121de1e}}	Kubernetes	Low	Secret Management	Container should not use secrets as environment variables (read more)	Documentation
Invalid Image Tag ^{_{583053b7-e632-46f0-b989-f81ff8045385}}	Kubernetes	Low	Supply-Chain	Image tag must be defined and not be empty or equal to latest. (read more)	Documentation
Ensure Administrative Boundaries Between Resources ^{_{e84eaf4d-2f45-47b2-abe8-e581b06deb66}}	Kubernetes	Info	Access Control	As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)	Documentation
Using Kubernetes Native Secret Management ^{_{b9c83569-459b-4110-8f79-6305aa33cb37}}	Kubernetes	Info	Secret Management	Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)	Documentation
Key Vault Not Recoverable ^{_{7c25f361-7c66-44bf-9b69-022acd5eb4bd}}	AzureResourceManager	High	Backup	Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)	Documentation
Secret Without Expiration Date ^{_{cff9c3f7-e8f0-455f-9fb4-5f72326da96e}}	AzureResourceManager	High	Best Practices	All Secrets must have an expiration date defined (read more)	Documentation
Azure Instance Using Basic Authentication ^{_{6797f581-0433-4768-ae3e-7ceb2f8b138e}}	AzureResourceManager	High	Best Practices	Azure Instances should use SSH Key instead of basic authentication (read more)	Documentation
Storage Account Allows Unsecure Transfer ^{_{1367dd13-2c90-4020-80b7-e4339a3dc2c4}}	AzureResourceManager	High	Encryption	'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)	Documentation
Azure Managed Disk Without Encryption ^{_{350f3955-b5be-436f-afaa-3d2be2fa6cdd}}	AzureResourceManager	High	Encryption	Azure Disk Encryption should be enabled (read more)	Documentation
Web App Not Using TLS Last Version ^{_{b5c851d5-00f1-43dc-a8de-3218fd6f71be}}	AzureResourceManager	High	Encryption	Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)	Documentation
Website Not Forcing HTTPS ^{_{488847ff-6031-487c-bf42-98fd6ac5c9a0}}	AzureResourceManager	High	Insecure Configurations	'Microsoft.Web/sites' should force the use of HTTPS (read more)	Documentation
SQL Database Server Firewall Allows All IPS ^{_{6a3201a5-1630-494b-b294-3129d06b0eca}}	AzureResourceManager	High	Networking and Firewall	SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)	Documentation
Network Security Group With Unrestricted Access To RDP ^{_{59cb3da7-f206-4ae6-b827-7abf0a9cab9d}}	AzureResourceManager	High	Networking and Firewall	Port 3389 (Remote Desktop) is exposed to the Internet (read more)	Documentation
Trusted Microsoft Services Not Enabled ^{_{e25b56cd-a4d6-498f-ab92-e6296a082097}}	AzureResourceManager	High	Networking and Firewall	Trusted Microsoft Services should be enabled for Storage Account access (read more)	Documentation
Network Security Group With Unrestricted Access To SSH ^{_{2ade1579-4b2c-4590-bebb-f99bf597f612}}	AzureResourceManager	High	Networking and Firewall	Port 22 (SSH) is exposed to the Internet (read more)	Documentation
Storage Blob Service Container With Public Access ^{_{a0ab985d-660b-41f7-ac81-70957ee8e627}}	AzureResourceManager	High	Networking and Firewall	Storage Blob Service Container should not publicly accessible (read more)	Documentation
Website with Client Certificate Auth Disabled ^{_{92302b47-b0cc-46cb-a28f-5610ecda140b}}	AzureResourceManager	High	Networking and Firewall	'Microsoft.Web/sites' should have client certificate authentication enabled (read more)	Documentation
MySQL Server SSL Enforcement Disabled ^{_{90120147-f2e7-4fda-bb21-6fa9109afd63}}	AzureResourceManager	High	Networking and Firewall	'Microsoft.DBforMySQL/servers' should enforce SSL (read more)	Documentation
PostgreSQL Database Server SSL Disabled ^{_{bf500309-da53-4dd3-bcf7-95f7974545a5}}	AzureResourceManager	High	Networking and Firewall	Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)	Documentation
Role Definitions Allow Custom Subscription Role Creation ^{_{8fa9ceea-881f-4ef0-b0b8-728f589699a7}}	AzureResourceManager	Medium	Access Control	Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)	Documentation
Default Azure Storage Account Network Access Is Too Permissive ^{_{d855ced8-6157-448f-9f1d-f05a41d046f7}}	AzureResourceManager	Medium	Access Control	Make sure that your Azure Storage Account access is limited to those who require it. (read more)	Documentation
AKS Cluster RBAC Disabled ^{_{9307a2ed-35c2-413d-94de-a1a0682c2158}}	AzureResourceManager	Medium	Access Control	Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)	Documentation
SQL Server Database With Alerts Disabled ^{_{574e8d82-1db2-4b9c-b526-e320ede9a9ff}}	AzureResourceManager	Medium	Best Practices	All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)	Documentation
AKS Cluster Network Policy Not Configured ^{_{25c0228e-4444-459b-a2df-93c7df40b7ed}}	AzureResourceManager	Medium	Insecure Configurations	Azure Kubernetes Service must have a network policy defined. (read more)	Documentation
PostgreSQL Database Server Log Connections Disabled ^{_{e69bda39-e1e2-47ca-b9ee-b6531b23aedd}}	AzureResourceManager	Medium	Networking and Firewall	Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)	Documentation
Standard Price Is Not Selected ^{_{2081c7d6-2851-4cce-bda5-cb49d462da42}}	AzureResourceManager	Medium	Networking and Firewall	Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)	Documentation
AKS With Authorized IP Ranges Disabled ^{_{2583fab1-953b-4fae-bd02-4a136a6c21f9}}	AzureResourceManager	Medium	Networking and Firewall	Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)	Documentation
PostgreSQL Database Server Log Checkpoints Disabled ^{_{f9112910-c7bb-4864-9f5e-2059ba413bb7}}	AzureResourceManager	Medium	Networking and Firewall	Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)	Documentation
PostgresSQL Database Server Connection Throttling Disabled ^{_{a6d774b6-d9ea-4bf4-8433-217bf15d2fb8}}	AzureResourceManager	Medium	Networking and Firewall	Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)	Documentation
SQL Server Database With Unrecommended Retention Days ^{_{c09cdac2-7670-458a-bf6c-efad6880973a}}	AzureResourceManager	Medium	Observability	SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)	Documentation
Unrecommended Log Profile Retention Policy ^{_{25684eac-daaa-4c2c-94b4-8d2dbb627909}}	AzureResourceManager	Medium	Observability	Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)	Documentation
Storage Logging For Read Write And Delete Requests Disabled ^{_{43f6e60c-9cdb-4e77-864d-a66595d26518}}	AzureResourceManager	Medium	Observability	Storage Logging should be enabled for read, write and delete methods (read more)	Documentation
Unrecommended Network Watcher Flow Log Retention Policy ^{_{564b70f8-41cd-4690-aff8-bb53add86bc9}}	AzureResourceManager	Medium	Observability	Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)	Documentation
AKS Logging To Azure Monitoring Is Disabled ^{_{9b09dee1-f09b-4013-91d2-158fa4695f4b}}	AzureResourceManager	Medium	Observability	Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)	Documentation
SQL Server Database Without Auditing ^{_{e055285c-bc01-48b4-8aa5-8a54acdd29df}}	AzureResourceManager	Medium	Observability	Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)	Documentation
Log Profile Incorrect Category ^{_{4d522e7b-f938-4d51-a3b1-974ada528bd3}}	AzureResourceManager	Medium	Observability	Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)	Documentation
Hardcoded SecureString Parameter Default Value ^{_{4d2cf896-c053-4be5-9c95-8b4771112f29}}	AzureResourceManager	Medium	Secret Management	Secure parameters should not have hardcoded default value (read more)	Documentation
Website Azure Active Directory Disabled ^{_{e9c133e5-c2dd-4b7b-8fff-40f2de367b56}}	AzureResourceManager	Low	Access Control	WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)	Documentation
Phone Number Not Set For Security Contacts ^{_{3e9fcc67-1f64-405f-b2f9-0a6be17598f0}}	AzureResourceManager	Low	Best Practices	Microsoft.Security securityContacts should have a phone number defined (read more)	Documentation
AKS Dashboard Is Enabled ^{_{c62d3b92-9a11-4ffd-b7b7-6faaae83faed}}	AzureResourceManager	Low	Insecure Configurations	Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)	Documentation
Website with 'Http20Enabled' Disabled ^{_{70111098-7f85-48f0-b1b4-e4261cf5f61b}}	AzureResourceManager	Low	Networking and Firewall	'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)	Documentation
Storage Account Allows Default Network Access ^{_{9073f073-5d60-4b46-b569-0d6baa80ed95}}	AzureResourceManager	Low	Networking and Firewall	'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)	Documentation
App Service Authentication Is Not Set ^{_{83130a07-235b-4a80-918b-a370e53f0bd9}}	AzureResourceManager	Info	Access Control	Azure App Service should have App Service Authentication set (read more)	Documentation
SQL Alert Policy Without Emails ^{_{89b79fe5-49bd-4d39-84ce-55f5fc6f7764}}	AzureResourceManager	Info	Best Practices	SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)	Documentation
Account Admins Not Notified By Email ^{_{a8852cc0-fd4b-4fc7-9372-1e43fad0732e}}	AzureResourceManager	Info	Best Practices	Account admins should be notified by email in the event of security alerts (read more)	Documentation
Email Notifications Disabled ^{_{79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92}}	AzureResourceManager	Info	Networking and Firewall	Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)	Documentation
Volume Mounted In Multiple Containers ^{_{baa452f0-1f21-4a25-ace5-844e7a5f410d}}	DockerCompose	High	Build Process	Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)	Documentation
Volume Has Sensitive Host Directory ^{_{1c1325ff-831d-43a1-973e-839ae57dfcc0}}	DockerCompose	High	Build Process	Container has sensitive host directory mounted as a volume (read more)	Documentation
Docker Socket Mounted In Container ^{_{d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b}}	DockerCompose	High	Build Process	Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)	Documentation
Privileged Containers Enabled ^{_{ae5b6871-7f45-42e0-bb4c-ab300c4d2026}}	DockerCompose	High	Resource Management	Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)	Documentation
No New Privileges Not Set ^{_{27fcc7d6-c49b-46e0-98f1-6c082a6a2750}}	DockerCompose	High	Resource Management	Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)	Documentation
Healthcheck Not Set ^{_{698ed579-b239-4f8f-a388-baa4bcb13ef8}}	DockerCompose	Medium	Availability	Check containers periodically to see if they are running properly. (read more)	Documentation
Restart Policy On Failure Not Set To 5 ^{_{2fc99041-ddad-49d5-853f-e35e70a48391}}	DockerCompose	Medium	Build Process	Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)	Documentation
Cgroup Not Default ^{_{4d9f44c6-2f4a-4317-9bb5-267adbea0232}}	DockerCompose	Medium	Build Process	Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)	Documentation
Container Traffic Not Bound To Host Interface ^{_{451d79dc-0588-476a-ad03-3c7f0320abb3}}	DockerCompose	Medium	Networking and Firewall	Incoming container traffic should be bound to a specific host interface (read more)	Documentation
Privileged Ports Mapped In Container ^{_{bc2908f3-f73c-40a9-8793-c1b7d5544f79}}	DockerCompose	Medium	Networking and Firewall	Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)	Documentation
Networks Not Set ^{_{ce14a68b-1668-41a0-ab7d-facd9f784742}}	DockerCompose	Medium	Networking and Firewall	Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)	Documentation
Shared Host User Namespace ^{_{8af7162d-6c98-482f-868e-0d33fb675ca8}}	DockerCompose	Medium	Resource Management	The host's user namespace should not be shared. (read more)	Documentation
Shared Host Network Namespace ^{_{071a71ff-f868-47a4-ac0b-3c59e4ab5443}}	DockerCompose	Medium	Resource Management	Container should not share the host network namespace (read more)	Documentation
Default Seccomp Profile Disabled ^{_{404fde2c-bc4b-4371-9747-7054132ac953}}	DockerCompose	Medium	Resource Management	Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)	Documentation
Pids Limit Not Set ^{_{221e0658-cb2a-44e3-b08a-db96a341d6fa}}	DockerCompose	Medium	Resource Management	'pids_limit' should be set and different than -1 (read more)	Documentation
Host Namespace is Shared ^{_{4f31dd9f-2cc3-4751-9b53-67e4af83dac0}}	DockerCompose	Medium	Resource Management	The hosts process namespace should not be shared by containers (read more)	Documentation
Security Opt Not Set ^{_{610e266e-6c12-4bca-9925-1ed0cd29742b}}	DockerCompose	Medium	Resource Management	Attribute 'security_opt' should be defined. (read more)	Documentation
Memory Not Limited ^{_{bb9ac4f7-e13b-423d-a010-c74a1bfbe492}}	DockerCompose	Medium	Resource Management	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)	Documentation
Shared Host IPC Namespace ^{_{baa3890f-bed7-46f5-ab8f-1da8fc91c729}}	DockerCompose	Medium	Resource Management	Container should not share the host IPC namespace (read more)	Documentation
Container Capabilities Unrestricted ^{_{ce76b7d0-9e77-464d-b86f-c5c48e03e22d}}	DockerCompose	Low	Resource Management	Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)	Documentation
Cpus Not Limited ^{_{6b610c50-99fb-4ef0-a5f3-e312fd945bc3}}	DockerCompose	Low	Resource Management	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)	Documentation
Function App Authentication Disabled ^{_{e65a0733-94a0-4826-82f4-df529f4c593f}}	Terraform	High	Access Control	Azure Function App authentication settings should be enabled (read more)	Documentation
Public Storage Account ^{_{17f75827-0684-48f4-8747-61129c7e4198}}	Terraform	High	Access Control	Storage Account should not be public to grant the principle of least privileges (read more)	Documentation
Storage Container Is Publicly Accessible ^{_{dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299}}	Terraform	High	Access Control	Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)	Documentation
Role Assignment Not Limit Guest User Permissions ^{_{8e75e431-449f-49e9-b56a-c8f1378025cf}}	Terraform	High	Access Control	Role Assignment should limit guest user permissions (read more)	Documentation
Admin User Enabled For Container Registry ^{_{b897dfbf-322c-45a8-b67c-1e698beeaa51}}	Terraform	High	Access Control	Admin user is enabled for Container Registry (read more)	Documentation
Role Assignment Of Guest Users ^{_{2bc626a8-0751-446f-975d-8139214fc790}}	Terraform	High	Access Control	There is a role assignment for guest user (read more)	Documentation
Geo Redundancy Is Disabled ^{_{8b042c30-e441-453f-b162-7696982ebc58}}	Terraform	High	Backup	Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)	Documentation
Azure Instance Using Basic Authentication ^{_{dafe30ec-325d-4516-85d1-e8e6776f012c}}	Terraform	High	Best Practices	Azure Instances should use SSH Key instead of basic authentication (read more)	Documentation
SSL Enforce Disabled ^{_{0437633b-daa6-4bbc-8526-c0d2443b946e}}	Terraform	High	Encryption	Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)	Documentation
Function App Not Using Latest TLS Encryption Version ^{_{45fc717a-bd86-415c-bdd8-677901be1aa6}}	Terraform	High	Encryption	Ensure Function App is using the latest version of TLS encryption (read more)	Documentation
App Service Not Using Latest TLS Encryption Version ^{_{b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643}}	Terraform	High	Encryption	Ensure App Service is using the latest version of TLS encryption (read more)	Documentation
Storage Account Not Forcing HTTPS ^{_{12944ec4-1fa0-47be-8b17-42a034f937c2}}	Terraform	High	Encryption	Storage Accounts should enforce the use of HTTPS (read more)	Documentation
MySQL SSL Connection Disabled ^{_{73e42469-3a86-4f39-ad78-098f325b4e9f}}	Terraform	High	Encryption	Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)	Documentation
Web App Accepting Traffic Other Than HTTPS ^{_{11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe}}	Terraform	High	Insecure Configurations	Web app should only accept HTTPS traffic in Azure Web App Service. (read more)	Documentation
Redis Not Updated Regularly ^{_{b947809d-dd2f-4de9-b724-04d101c515aa}}	Terraform	High	Insecure Configurations	Redis Cache is not configured to be updated regularly with security and operational updates (read more)	Documentation
Function App FTPS Enforce Disabled ^{_{9dab0179-433d-4dff-af8f-0091025691df}}	Terraform	High	Insecure Configurations	Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)	Documentation
Azure App Service Client Certificate Disabled ^{_{a81573f9-3691-4d83-88a0-7d4af63e17a3}}	Terraform	High	Insecure Configurations	Azure App Service client certificate should be enabled (read more)	Documentation
AKS Private Cluster Disabled ^{_{599318f2-6653-4569-9e21-041d06c63a89}}	Terraform	High	Insecure Configurations	Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)	Documentation
Azure Container Registry With No Locks ^{_{a187ac47-8163-42ce-8a63-c115236be6fb}}	Terraform	High	Insecure Configurations	Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)	Documentation
AD Admin Not Configured For SQL Server ^{_{a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b}}	Terraform	High	Insecure Configurations	The Active Directory Administrator is not configured for a SQL server (read more)	Documentation
Network Watcher Flow Disabled ^{_{b90842e5-6779-44d4-9760-972f4c03ba1c}}	Terraform	High	Insecure Configurations	Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)	Documentation
VM Not Attached To Network ^{_{bbf6b3df-4b65-4f87-82cc-da9f30f8c033}}	Terraform	High	Insecure Configurations	No Network Security Group is attached to the Virtual Machine (read more)	Documentation
App Service FTPS Enforce Disabled ^{_{85da374f-b00f-4832-9d44-84a1ca1e89f8}}	Terraform	High	Insecure Configurations	Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)	Documentation
Sensitive Port Is Exposed To Entire Network ^{_{594c198b-4d79-41b8-9b36-fde13348b619}}	Terraform	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)	Documentation
RDP Is Exposed To The Internet ^{_{efbf6449-5ec5-4cfe-8f15-acc51e0d787c}}	Terraform	High	Networking and Firewall	Port 3389 (Remote Desktop) is exposed to the internet (read more)	Documentation
Trusted Microsoft Services Not Enabled ^{_{5400f379-a347-4bdd-a032-446465fdcc6f}}	Terraform	High	Networking and Firewall	Trusted Microsoft Services should be enabled for Storage Account access (read more)	Documentation
CosmosDB Account IP Range Filter Not Set ^{_{c2a3efb6-8a58-481c-82f2-bfddf34bb4b7}}	Terraform	High	Networking and Firewall	The IP range filter should be defined to secure the data stored (read more)	Documentation
SQLServer Ingress From Any IP ^{_{25c0ea09-f1c5-4380-b055-3b83863f2bb8}}	Terraform	High	Networking and Firewall	Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)	Documentation
MSSQL Server Public Network Access Enabled ^{_{ade36cf4-329f-4830-a83d-9db72c800507}}	Terraform	High	Networking and Firewall	MSSQL Server public network access should be disabled (read more)	Documentation
Redis Publicly Accessible ^{_{5089d055-53ff-421b-9482-a5267bdce629}}	Terraform	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)	Documentation
Redis Entirely Accessible ^{_{fd8da341-6760-4450-b26c-9f6d8850575e}}	Terraform	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from the Internet (read more)	Documentation
MySQL Server Public Access Enabled ^{_{f118890b-2468-42b1-9ce9-af35146b425b}}	Terraform	High	Networking and Firewall	MySQL Server public access should be disabled (read more)	Documentation
SSH Is Exposed To The Internet ^{_{3e3c175e-aadf-4e2b-a464-3fdac5748d24}}	Terraform	High	Networking and Firewall	Port 22 (SSH) is exposed to the internet (read more)	Documentation
Vault Auditing Disabled ^{_{38c71c00-c177-4cd7-8d36-cd1007cdb190}}	Terraform	High	Observability	Ensure that logging for Azure KeyVault is 'Enabled' (read more)	Documentation
SQL Database Audit Disabled ^{_{83a229ba-483e-47c6-8db7-dc96969bce5a}}	Terraform	High	Resource Management	Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)	Documentation
App Service Managed Identity Disabled ^{_{b61cce4b-0cc4-472b-8096-15617a6d769b}}	Terraform	High	Resource Management	Azure App Service should have managed identity enabled (read more)	Documentation
PostgreSQL Server Threat Detection Policy Disabled ^{_{c407c3cf-c409-4b29-b590-db5f4138d332}}	Terraform	High	Resource Management	PostgreSQL Server Threat Detection Policy should be enabled (read more)	Documentation
Secret Expiration Not Set ^{_{dfa20ffa-f476-428f-a490-424b41e91c7f}}	Terraform	High	Secret Management	Make sure that for all secrets the expiration date is set (read more)	Documentation
Key Expiration Not Set ^{_{4d080822-5ee2-49a4-8984-68f3d4c890fc}}	Terraform	High	Secret Management	Make sure that for all keys the expiration date is set (read more)	Documentation
Storage Share File Allows All ACL Permissions ^{_{48bbe0fd-57e4-4678-a4a1-119e79c90fc3}}	Terraform	Medium	Access Control	Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)	Documentation
Storage Table Allows All ACL Permissions ^{_{3ac3e75c-6374-4a32-8ba0-6ed69bda404e}}	Terraform	Medium	Access Control	Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)	Documentation
Role Definition Allows Custom Role Creation ^{_{3fa5900f-9aac-4982-96b2-a6143d9c99fb}}	Terraform	Medium	Access Control	Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)	Documentation
AKS RBAC Disabled ^{_{86f92117-eed8-4614-9c6c-b26da20ff37f}}	Terraform	Medium	Access Control	Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)	Documentation
Virtual Network with DDoS Protection Plan disabled ^{_{b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a}}	Terraform	Medium	Availability	Virtual Network should have DDoS Protection Plan enabled (read more)	Documentation
SQL Server Predictable Admin Account Name ^{_{2ab6de9a-0136-415c-be92-79d2e4fd750f}}	Terraform	Medium	Best Practices	Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)	Documentation
Security Contact Email ^{_{34664094-59e0-4524-b69f-deaa1a68cce3}}	Terraform	Medium	Best Practices	Security Contact Email should be defined (read more)	Documentation
SQL Server Predictable Active Directory Account Name ^{_{bcd3fc01-5902-4f2a-b05a-227f9bbf5450}}	Terraform	Medium	Best Practices	Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)	Documentation
Cosmos DB Account Without Tags ^{_{56dad03e-e94f-4dd6-93a4-c253a03ff7a0}}	Terraform	Medium	Build Process	Cosmos DB Account must have a mapping of tags. (read more)	Documentation
AKS Disk Encryption Set ID Undefined ^{_{b17d8bb8-4c08-4785-867e-cb9e62a622aa}}	Terraform	Medium	Encryption	Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)	Documentation
Storage Account Not Using Latest TLS Encryption Version ^{_{8263f146-5e03-43e0-9cfe-db960d56d1e7}}	Terraform	Medium	Encryption	Ensure Storage Account is using the latest version of TLS encryption (read more)	Documentation
Encryption On Managed Disk Disabled ^{_{a99130ab-4c0e-43aa-97f8-78d4fcb30024}}	Terraform	Medium	Encryption	Ensure that the encryption is active on the disk (read more)	Documentation
Security Center Pricing Tier Is Not Standard ^{_{819d50fd-1cdf-45c3-9936-be408aaad93e}}	Terraform	Medium	Insecure Configurations	Make sure that the 'Standard' pricing tiers were selected. (read more)	Documentation
Redis Cache Allows Non SSL Connections ^{_{e29a75e6-aba3-4896-b42d-b87818c16b58}}	Terraform	Medium	Insecure Configurations	Redis Cache resources should not allow non-SSL connections (read more)	Documentation
Function App Managed Identity Disabled ^{_{c87749b3-ff10-41f5-9df2-c421e8151759}}	Terraform	Medium	Insecure Configurations	Azure Function App should have managed identity enabled (read more)	Documentation
Security Group is Not Configured ^{_{5c822443-e1ea-46b8-84eb-758ec602e844}}	Terraform	Medium	Insecure Configurations	Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)	Documentation
AKS Network Policy Misconfigured ^{_{f5342045-b935-402d-adf1-8dbbd09c0eef}}	Terraform	Medium	Insecure Configurations	Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)	Documentation
Small Flow Logs Retention Period ^{_{7750fcca-dd03-4d38-b663-4b70289bcfd4}}	Terraform	Medium	Insecure Configurations	Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)	Documentation
Function App Client Certificates Unrequired ^{_{9bb3c639-5edf-458c-8ee5-30c17c7d671d}}	Terraform	Medium	Insecure Configurations	Azure Function App should have 'client_cert_mode' set to required (read more)	Documentation
Default Azure Storage Account Network Access Is Too Permissive ^{_{a5613650-32ec-4975-a305-31af783153ea}}	Terraform	Medium	Insecure Defaults	Default Azure Storage Account network access should be set to Deny (read more)	Documentation
Unrestricted SQL Server Access ^{_{d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28}}	Terraform	Medium	Networking and Firewall	Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)	Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache ^{_{a829b715-cf75-4e92-b645-54c9b739edfb}}	Terraform	Medium	Networking and Firewall	Check if any firewall rule allows too many hosts to access Redis Cache (read more)	Documentation
Network Interfaces With Public IP ^{_{c1573577-e494-4417-8854-7e119368dc8b}}	Terraform	Medium	Networking and Firewall	Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)	Documentation
Network Interfaces IP Forwarding Enabled ^{_{4216ebac-d74c-4423-b437-35025cb88af5}}	Terraform	Medium	Networking and Firewall	Network Interfaces IP Forwarding should be disabled (read more)	Documentation
Azure Cognitive Search Public Network Access Enabled ^{_{4a9e0f00-0765-4f72-a0d4-d31110b78279}}	Terraform	Medium	Networking and Firewall	Public Network Access should be disabled for Azure Cognitive Search (read more)	Documentation
WAF Is Disabled For Azure Application Gateway ^{_{2e48d91c-50e4-45c8-9312-27b625868a72}}	Terraform	Medium	Networking and Firewall	Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)	Documentation
Sensitive Port Is Exposed To Small Public Network ^{_{e9dee01f-2505-4df2-b9bf-7804d1fd9082}}	Terraform	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)	Documentation
Sensitive Port Is Exposed To Wide Private Network ^{_{c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e}}	Terraform	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)	Documentation
MariaDB Server Public Network Access Enabled ^{_{7f0a8696-7159-4337-ad0d-8a3ab4a78195}}	Terraform	Medium	Networking and Firewall	MariaDB Server Public Network Access should be disabled (read more)	Documentation
PostgreSQL Log Disconnections Not Set ^{_{07f7134f-9f37-476e-8664-670c218e4702}}	Terraform	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)	Documentation
PostgreSQL Server Without Connection Throttling ^{_{2b3c671f-1b76-4741-8789-ed1fe0785dc4}}	Terraform	Medium	Observability	Ensure that Connection Throttling is set for the PostgreSQL server (read more)	Documentation
PostgreSQL Log Duration Not Set ^{_{16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f}}	Terraform	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)	Documentation
Log Retention Is Not Set ^{_{ffb02aca-0d12-475e-b77c-a726f7aeff4b}}	Terraform	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)	Documentation
Small MSSQL Audit Retention Period ^{_{9c301481-e6ec-44f7-8a49-8ec63e2969ea}}	Terraform	Medium	Observability	Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)	Documentation
PostgreSQL Log Connections Not Set ^{_{c640d783-10c5-4071-b6c1-23507300d333}}	Terraform	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)	Documentation
Small Activity Log Retention Period ^{_{2b856bf9-8e8c-4005-875f-303a8cba3918}}	Terraform	Medium	Observability	Ensure that Activity Log Retention is set 365 days or greater (read more)	Documentation
Small PostgreSQL DB Server Log Retention Period ^{_{261a83f8-dd72-4e8c-b5e1-ebf06e8fe606}}	Terraform	Medium	Observability	Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)	Documentation
MSSQL Server Auditing Disabled ^{_{609839ae-bd81-4375-9910-5bce72ae7b92}}	Terraform	Medium	Observability	Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)	Documentation
PostgreSQL Log Checkpoints Disabled ^{_{3790d386-be81-4dcf-9850-eaa7df6c10d9}}	Terraform	Medium	Observability	Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)	Documentation
SQL Server Auditing Disabled ^{_{f7e296b0-6660-4bc5-8f87-22ac4a815edf}}	Terraform	Medium	Observability	Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)	Documentation
Email Alerts Disabled ^{_{9db38e87-f6aa-4b5e-a1ec-7266df259409}}	Terraform	Medium	Observability	Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)	Documentation
Small MSSQL Server Audit Retention ^{_{59acb56b-2b10-4c2c-ba38-f2223c3f5cfc}}	Terraform	Medium	Observability	Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)	Documentation
Azure Active Directory Authentication ^{_{a21c8da9-41bf-40cf-941d-330cf0d11fc7}}	Terraform	Low	Access Control	Azure Active Directory must be used for authentication for Service Fabric (read more)	Documentation
MariaDB Server Geo-redundant Backup Disabled ^{_{0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1}}	Terraform	Low	Backup	MariaDB Server Geo-redundant Backup should be enabled (read more)	Documentation
App Service Without Latest Python Version ^{_{cc4aaa9d-1070-461a-b519-04e00f42db8a}}	Terraform	Low	Best Practices	Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)	Documentation
App Service Without Latest PHP Version ^{_{96fe318e-d631-4156-99fa-9080d57280ae}}	Terraform	Low	Best Practices	Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)	Documentation
Key Vault Secrets Content Type Undefined ^{_{f8e08a38-fc6e-4915-abbe-a7aadf1d59ef}}	Terraform	Low	Best Practices	Key Vault Secrets should have set Content Type (read more)	Documentation
AKS Uses Azure Policies Add-On Disabled ^{_{43789711-161b-4708-b5bb-9d1c626f7492}}	Terraform	Low	Best Practices	Azure Container Service (AKS) should use Azure Policies Add-On (read more)	Documentation
PostgreSQL Server Infrastructure Encryption Disabled ^{_{6425c98b-ca4e-41fe-896a-c78772c131f8}}	Terraform	Low	Encryption	PostgreSQL Server Infrastructure Encryption should be enabled (read more)	Documentation
App Service HTTP2 Disabled ^{_{525b53be-62ed-4244-b4df-41aecfcb4071}}	Terraform	Low	Insecure Configurations	App Service should have 'http2_enabled' enabled (read more)	Documentation
Function App HTTP2 Disabled ^{_{ace823d1-4432-4dee-945b-cdf11a5a6bd0}}	Terraform	Low	Insecure Configurations	Function App should have 'http2_enabled' enabled (read more)	Documentation
Dashboard Is Enabled ^{_{61c3cb8b-0715-47e4-b788-86dde40dd2db}}	Terraform	Low	Insecure Configurations	Check if the Kubernetes Dashboard is enabled. (read more)	Documentation
Azure Front Door WAF Disabled ^{_{835a4f2f-df43-437d-9943-545ccfc55961}}	Terraform	Low	Networking and Firewall	Azure Front Door WAF should be enabled (read more)	Documentation
App Service Authentication Disabled ^{_{c7fc1481-2899-4490-bbd8-544a3a61a2f3}}	Terraform	Info	Access Control	Azure App Service authentication settings should be enabled (read more)	Documentation
SQL Server Alert Email Disabled ^{_{55975007-f6e7-4134-83c3-298f1fe4b519}}	Terraform	Info	Best Practices	SQL Server alert email should be enabled (read more)	Documentation
Generic Git Module Without Revision ^{_{3a81fc06-566f-492a-91dd-7448e409e2cd}}	Terraform	Info	Best Practices	All generic git repositories should reference a revision. (read more)	Documentation
Variable Without Type ^{_{fc5109bf-01fd-49fb-8bde-4492b543c34a}}	Terraform	Info	Best Practices	All variables should contain a valid type. (read more)	Documentation
Name Is Not Snake Case ^{_{1e434b25-8763-4b00-a5ca-ca03b7abbb66}}	Terraform	Info	Best Practices	All names should follow snake case pattern. (read more)	Documentation
Output Without Description ^{_{59312e8a-a64e-41e7-a252-618533dd1ea8}}	Terraform	Info	Best Practices	All outputs should contain a valid description. (read more)	Documentation
Variable Without Description ^{_{2a153952-2544-4687-bcc9-cc8fea814a9b}}	Terraform	Info	Best Practices	All variables should contain a valid description. (read more)	Documentation
Neptune Cluster Instance is Publicly Accessible ^{_{9ba198e0-fef4-464a-8a4d-75ea55300de7}}	Terraform	High	Access Control	Neptune Cluster Instance should not be publicly accessible (read more)	Documentation
S3 Bucket Allows List Action From All Principals ^{_{66c6f96f-2d9e-417e-a998-9058aeeecd44}}	Terraform	High	Access Control	S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)	Documentation
MSK Broker Is Publicly Accessible ^{_{54378d69-dd7c-4b08-a43e-80d563396857}}	Terraform	High	Access Control	Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)	Documentation
IAM Policy Grants Full Permissions ^{_{575a2155-6af1-4026-b1af-d5bc8fe2a904}}	Terraform	High	Access Control	IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)	Documentation
ECS Service Admin Role Is Present ^{_{3206240f-2e87-4e58-8d24-3e19e7c83d7c}}	Terraform	High	Access Control	ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)	Documentation
S3 Bucket ACL Grants WRITE_ACP Permission ^{_{64a222aa-7793-4e40-915f-4b302c76e4d4}}	Terraform	High	Access Control	S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)	Documentation
S3 Bucket ACL Allows Read to Any Authenticated User ^{_{57b9893d-33b1-4419-bcea-a717ea87e139}}	Terraform	High	Access Control	S3 Buckets should not be readable to any authenticated user (read more)	Documentation
S3 Bucket Allows Public Policy ^{_{1a4bc881-9f69-4d44-8c9a-d37d08f54c50}}	Terraform	High	Access Control	S3 bucket allows public policy (read more)	Documentation
IAM Policies With Full Privileges ^{_{2f37c4a3-58b9-4afe-8a87-d7f1d2286f84}}	Terraform	High	Access Control	IAM policies shouldn't allow full administrative privileges (for all resources) (read more)	Documentation
SQS Queue Exposed ^{_{abb06e5f-ef9a-4a99-98c6-376d396bfcdf}}	Terraform	High	Access Control	Checks if the SQS Queue is exposed (read more)	Documentation
S3 Bucket Access to Any Principal ^{_{7af43613-6bb9-4a0e-8c4d-1314b799425e}}	Terraform	High	Access Control	S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)	Documentation
S3 Bucket Allows Delete Action From All Principals ^{_{ffdf4b37-7703-4dfe-a682-9d2e99bc6c09}}	Terraform	High	Access Control	S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)	Documentation
S3 Bucket With All Permissions ^{_{a4966c4f-9141-48b8-a564-ffe9959945bc}}	Terraform	High	Access Control	S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)	Documentation
Amazon DMS Replication Instance Is Publicly Accessible ^{_{030d3b18-1821-45b4-9e08-50efbe7becbb}}	Terraform	High	Access Control	Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)	Documentation
SNS Topic is Publicly Accessible ^{_{b26d2b7e-60f6-413d-a3a1-a57db24aa2b3}}	Terraform	High	Access Control	SNS Topic Policy should not allow any principal to access (read more)	Documentation
S3 Bucket ACL Allows Read Or Write to All Users ^{_{38c5ee0d-7f22-4260-ab72-5073048df100}}	Terraform	High	Access Control	S3 Buckets should not be readable and writable to all users (read more)	Documentation
Authentication Without MFA ^{_{3ddfa124-6407-4845-a501-179f90c65097}}	Terraform	High	Access Control	Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)	Documentation
S3 Bucket Allows Get Action From All Principals ^{_{1df37f4b-7197-45ce-83f8-9994d2fcf885}}	Terraform	High	Access Control	S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)	Documentation
EFS With Vulnerable Policy ^{_{fae52418-bb8b-4ac2-b287-0b9082d6a3fd}}	Terraform	High	Access Control	EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)	Documentation
S3 Bucket Allows Put Action From All Principals ^{_{d24c0755-c028-44b1-b503-8e719c898832}}	Terraform	High	Access Control	S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)	Documentation
SSO Policy with full privileges ^{_{132a8c31-9837-4203-9fd1-15ca210c7b73}}	Terraform	High	Access Control	SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)	Documentation
IAM Role With Full Privileges ^{_{b1ffa705-19a3-4b73-b9d0-0c97d0663842}}	Terraform	High	Access Control	IAM role policy that allow full administrative privileges (for all resources) (read more)	Documentation
User Data Shell Script Is Encoded ^{_{9cf718ce-46f9-430e-89ec-c456f8b469ee}}	Terraform	High	Encryption	User Data Shell Script must be encoded (read more)	Documentation
API Gateway Method Settings Cache Not Encrypted ^{_{b7c9a40c-23e4-4a2d-8d39-a3352f10f288}}	Terraform	High	Encryption	API Gateway Method Settings Cache should be encrypted (read more)	Documentation
IAM Database Auth Not Enabled ^{_{88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6}}	Terraform	High	Encryption	IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)	Documentation
S3 Bucket SSE Disabled ^{_{6726dcc0-5ff5-459d-b473-a780bef7665c}}	Terraform	High	Encryption	If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)	Documentation
RDS Database Cluster not Encrypted ^{_{656880aa-1388-488f-a6d4-8f73c23149b2}}	Terraform	High	Encryption	RDS Database Cluster Encryption should be enabled (read more)	Documentation
EKS Cluster Encryption Disabled ^{_{63ebcb19-2739-4d3f-aa5c-e8bbb9b85281}}	Terraform	High	Encryption	EKS Cluster should be encrypted (read more)	Documentation
EFS Without KMS ^{_{25d251f3-f348-4f95-845c-1090e41a615c}}	Terraform	High	Encryption	Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)	Documentation
DOCDB Cluster Not Encrypted ^{_{bc1f9009-84a0-490f-ae09-3e0ea6d74ad6}}	Terraform	High	Encryption	AWS DOCDB Cluster storage should be encrypted (read more)	Documentation
EBS Default Encryption Disabled ^{_{3d3f6270-546b-443c-adb4-bb6fb2187ca6}}	Terraform	High	Encryption	EBS Encryption should be enabled (read more)	Documentation
CA Certificate Identifier Is Outdated ^{_{9f40c07e-699e-4410-8856-3ba0f2e3a2dd}}	Terraform	High	Encryption	The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)	Documentation
DAX Cluster Not Encrypted ^{_{f11aec39-858f-4b6f-b946-0a1bf46c0c87}}	Terraform	High	Encryption	AWS DAX Cluster should have server-side encryption at rest (read more)	Documentation
Athena Workgroup Not Encrypted ^{_{d364984a-a222-4b5f-a8b0-e23ab19ebff3}}	Terraform	High	Encryption	Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)	Documentation
ELB Using Insecure Protocols ^{_{126c1788-23c2-4a10-906c-ef179f4f96ec}}	Terraform	High	Encryption	ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)	Documentation
DOCDB Cluster Without KMS ^{_{4766d3ea-241c-4ee6-93ff-c380c996bd1a}}	Terraform	High	Encryption	AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)	Documentation
RDS Storage Not Encrypted ^{_{3199c26c-7871-4cb3-99c2-10a59244ce7f}}	Terraform	High	Encryption	RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)	Documentation
Workspaces Workspace Volume Not Encrypted ^{_{b9033580-6886-401a-8631-5f19f5bb24c7}}	Terraform	High	Encryption	AWS Workspaces Workspace data stored in volumes should be encrypted (read more)	Documentation
Redis Not Compliant ^{_{254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4}}	Terraform	High	Encryption	Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)	Documentation
Kinesis SSE Not Configured ^{_{5c6dd5e7-1fe0-4cae-8f81-4c122717cef3}}	Terraform	High	Encryption	AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)	Documentation
Glue Data Catalog Encryption Disabled ^{_{01d50b14-e933-4c99-b314-6d08cd37ad35}}	Terraform	High	Encryption	Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)	Documentation
Secure Ciphers Disabled ^{_{5c0003fb-9aa0-42c1-9da3-eb0e332bef21}}	Terraform	High	Encryption	Check if secure ciphers aren't used in CloudFront (read more)	Documentation
Kinesis Not Encrypted With KMS ^{_{862fe4bf-3eec-4767-a517-40f378886b88}}	Terraform	High	Encryption	AWS Kinesis Streams and metadata should be protected with KMS (read more)	Documentation
DB Instance Storage Not Encrypted ^{_{08bd0760-8752-44e1-9779-7bb369b2b4e4}}	Terraform	High	Encryption	AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)	Documentation
Glue Security Configuration Encryption Disabled ^{_{ad5b4e97-2850-4adf-be17-1d293e0b85ee}}	Terraform	High	Encryption	Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)	Documentation
AMI Not Encrypted ^{_{8bbb242f-6e38-4127-86d4-d8f0b2687ae2}}	Terraform	High	Encryption	AWS AMI Encryption is not enabled (read more)	Documentation
EBS Volume Snapshot Not Encrypted ^{_{e6b4b943-6883-47a9-9739-7ada9568f8ca}}	Terraform	High	Encryption	The value on AWS EBS Volume Snapshot Encryptation must be true (read more)	Documentation
Sagemaker Notebook Instance Without KMS ^{_{f3674e0c-f6be-43fa-b71c-bf346d1aed99}}	Terraform	High	Encryption	AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)	Documentation
ECS Task Definition Container With Plaintext Password ^{_{d40210ea-64b9-4cce-a4fb-e8604f3c062c}}	Terraform	High	Encryption	It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)	Documentation
User Data Contains Encoded Private Key ^{_{443488f5-c734-460b-a36d-5b3f330174dc}}	Terraform	High	Encryption	User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)	Documentation
Sagemaker Endpoint Configuration Encryption Disabled ^{_{58b35504-0287-4154-bf69-02c0573deab8}}	Terraform	High	Encryption	Sagemaker endpoint configuration should encrypt data (read more)	Documentation
ELB Using Weak Ciphers ^{_{4a800e14-c94a-442d-9067-5a2e9f6c0a4c}}	Terraform	High	Encryption	ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)	Documentation
Launch Configuration Is Not Encrypted ^{_{4de9de27-254e-424f-bd70-4c1e95790838}}	Terraform	High	Encryption	Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)	Documentation
Aurora With Disabled at Rest Encryption ^{_{1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e}}	Terraform	High	Encryption	Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)	Documentation
ECS Task Definition Volume Not Encrypted ^{_{4d46ff3b-7160-41d1-a310-71d6d370b08f}}	Terraform	High	Encryption	Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)	Documentation
CodeBuild Project Encrypted With AWS Managed Key ^{_{3deec14b-03d2-4d27-9670-7d79322e3340}}	Terraform	High	Encryption	CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)	Documentation
MSK Cluster Encryption Disabled ^{_{6db52fa6-d4da-4608-908a-89f0c59e743e}}	Terraform	High	Encryption	Ensure MSK Cluster encryption in rest and transit is enabled (read more)	Documentation
S3 Bucket Object Not Encrypted ^{_{5fb49a69-8d46-4495-a2f8-9c8c622b2b6e}}	Terraform	High	Encryption	S3 Bucket Object should have server-side encryption enabled (read more)	Documentation
Redshift Not Encrypted ^{_{cfdcabb0-fc06-427c-865b-c59f13e898ce}}	Terraform	High	Encryption	AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)	Documentation
Cloudfront Viewer Protocol Policy Allows HTTP ^{_{55af1353-2f62-4fa0-a8e1-a210ca2708f5}}	Terraform	High	Encryption	Checks if the connection between CloudFront and the viewer is encrypted (read more)	Documentation
EFS Not Encrypted ^{_{48207659-729f-4b5c-9402-f884257d794f}}	Terraform	High	Encryption	Elastic File System (EFS) must be encrypted (read more)	Documentation
Athena Database Not Encrypted ^{_{b2315cae-b110-4426-81e0-80bb8640cdd3}}	Terraform	High	Encryption	AWS Athena Database data in S3 should be encrypted (read more)	Documentation
API Gateway Without Security Policy ^{_{4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b}}	Terraform	High	Insecure Configurations	API Gateway should have a Security Policy defined and use TLS 1.2. (read more)	Documentation
Redshift Publicly Accessible ^{_{af173fde-95ea-4584-b904-bb3923ac4bda}}	Terraform	High	Insecure Configurations	AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)	Documentation
Lambda Function With Privileged Role ^{_{1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2}}	Terraform	High	Insecure Configurations	It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)	Documentation
KMS Key With Full Permissions ^{_{7ebc9038-0bde-479a-acc4-6ed7b6758899}}	Terraform	High	Insecure Configurations	The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)	Documentation
S3 Bucket with Unsecured CORS Rule ^{_{98a8f708-121b-455b-ae2f-da3fb59d17e1}}	Terraform	High	Insecure Configurations	If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)	Documentation
RDS DB Instance Publicly Accessible ^{_{35113e6f-2c6b-414d-beec-7a9482d3b2d1}}	Terraform	High	Insecure Configurations	RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)	Documentation
ECS Task Definition Network Mode Not Recommended ^{_{9f4a9409-9c60-4671-be96-9716dbf63db1}}	Terraform	High	Insecure Configurations	Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)	Documentation
Batch Job Definition With Privileged Container Properties ^{_{66cd88ac-9ddf-424a-b77e-e55e17630bee}}	Terraform	High	Insecure Configurations	Batch Job Definition should not have Privileged Container Properties (read more)	Documentation
S3 Static Website Host Enabled ^{_{42bb6b7f-6d54-4428-b707-666f669d94fb}}	Terraform	High	Insecure Configurations	Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)	Documentation
S3 Bucket Without Restriction Of Public Bucket ^{_{1ec253ab-c220-4d63-b2de-5b40e0af9293}}	Terraform	High	Insecure Configurations	S3 bucket without restriction of public bucket (read more)	Documentation
DB Security Group Has Public Interface ^{_{f0d8781f-99bf-4958-9917-d39283b168a0}}	Terraform	High	Insecure Configurations	The CIDR IP should not be a public interface (read more)	Documentation
S3 Bucket Without Enabled MFA Delete ^{_{c5b31ab9-0f26-4a49-b8aa-4cc064392f4d}}	Terraform	High	Insecure Configurations	S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)	Documentation
IAM User Policy Without MFA ^{_{b5681959-6c09-4f55-b42b-c40fa12d03ec}}	Terraform	High	Insecure Configurations	Check if the root user is authenticated with MFA (read more)	Documentation
No Password Policy Enabled ^{_{b592ffd4-0577-44b6-bd35-8c5ee81b5918}}	Terraform	High	Insecure Configurations	IAM password policies should be set through the password minimum length and reset password attributes (read more)	Documentation
Root Account Has Active Access Keys ^{_{970d224d-b42a-416b-81f9-8f4dfe70c4bc}}	Terraform	High	Insecure Configurations	The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)	Documentation
CloudFront Without Minimum Protocol TLS 1.2 ^{_{00e5e55e-c2ff-46b3-a757-a7a1cd802456}}	Terraform	High	Insecure Configurations	CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)	Documentation
Vulnerable Default SSL Certificate ^{_{3a1e94df-6847-4c0e-a3b6-6c6af4e128ef}}	Terraform	High	Insecure Defaults	CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)	Documentation
Sensitive Port Is Exposed To Entire Network ^{_{381c3f2a-ef6f-4eff-99f7-b169cda3422c}}	Terraform	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)	Documentation
Remote Desktop Port Open To Internet ^{_{151187cb-0efc-481c-babd-ad24e3c9bc22}}	Terraform	High	Networking and Firewall	The Remote Desktop port is open to the internet in a Security Group (read more)	Documentation
Security Group With Unrestricted Access To SSH ^{_{65905cec-d691-4320-b320-2000436cb696}}	Terraform	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Security Group (read more)	Documentation
EKS Cluster Has Public Access CIDRs ^{_{61cf9883-1752-4768-b18c-0d57f2737709}}	Terraform	High	Networking and Firewall	Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)	Documentation
VPC Default Security Group Accepts All Traffic ^{_{9a4ef195-74b9-4c58-b8ed-2b2fe4353a75}}	Terraform	High	Networking and Firewall	Default Security Group attached to every VPC should restrict all traffic (read more)	Documentation
Network ACL With Unrestricted Access To RDP ^{_{a20be318-cac7-457b-911d-04cc6e812c25}}	Terraform	High	Networking and Firewall	'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)	Documentation
DB Security Group With Public Scope ^{_{1e0ef61b-ad85-4518-a3d3-85eaad164885}}	Terraform	High	Networking and Firewall	The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)	Documentation
Route53 Record Undefined ^{_{25db74bf-fa3b-44da-934e-8c3e005c0453}}	Terraform	High	Networking and Firewall	Check if Record is set (read more)	Documentation
Unrestricted Security Group Ingress ^{_{4728cd65-a20c-49da-8b31-9c08b423e4db}}	Terraform	High	Networking and Firewall	Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)	Documentation
EC2 Instance Has Public IP ^{_{5a2486aa-facf-477d-a5c1-b010789459ce}}	Terraform	High	Networking and Firewall	EC2 Instance should not have a public IP address. (read more)	Documentation
Network ACL With Unrestricted Access To SSH ^{_{3af7f2fd-06e6-4dab-b996-2912bea19ba4}}	Terraform	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Network ACL (read more)	Documentation
Elasticsearch with HTTPS disabled ^{_{2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e}}	Terraform	High	Networking and Firewall	Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)	Documentation
EKS node group remote access disabled ^{_{ba40ace1-a047-483c-8a8d-bc2d3a67a82d}}	Terraform	High	Networking and Firewall	EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)	Documentation
Unknown Port Exposed To Internet ^{_{590d878b-abdc-428f-895a-e2b68a0e1998}}	Terraform	High	Networking and Firewall	AWS Security Group should not have an unknown port exposed to the entire Internet (read more)	Documentation
HTTP Port Open To Internet ^{_{ffac8a12-322e-42c1-b9b9-81ff85c39ef7}}	Terraform	High	Networking and Firewall	The HTTP port is open to the internet in a Security Group (read more)	Documentation
Default Security Groups With Unrestricted Traffic ^{_{46883ce1-dc3e-4b17-9195-c6a601624c73}}	Terraform	High	Networking and Firewall	Check if default security group does not restrict all inbound and outbound traffic. (read more)	Documentation
VPC Peering Route Table with Unrestricted CIDR ^{_{b3a41501-f712-4c4f-81e5-db9a7dc0e34e}}	Terraform	High	Networking and Firewall	VPC Peering Route Table should restrict CIDR (read more)	Documentation
RDS Associated with Public Subnet ^{_{2f737336-b18a-4602-8ea0-b200312e1ac1}}	Terraform	High	Networking and Firewall	RDS should not run in public subnet (read more)	Documentation
ALB Listening on HTTP ^{_{de7f5e83-da88-4046-871f-ea18504b1d43}}	Terraform	High	Networking and Firewall	AWS Application Load Balancer (alb) should not listen on HTTP (read more)	Documentation
DB Security Group Open To Large Scope ^{_{4f615f3e-fb9c-4fad-8b70-2e9f781806ce}}	Terraform	High	Networking and Firewall	The IP address in a DB Security Group must not have more than 256 hosts. (read more)	Documentation
CloudTrail Logging Disabled ^{_{4bb76f17-3d63-4529-bdca-2b454529d774}}	Terraform	High	Observability	Checks if logging is enabled for CloudTrail. (read more)	Documentation
CloudTrail Log Files S3 Bucket is Publicly Accessible ^{_{bd0088a5-c133-4b20-b129-ec9968b16ef3}}	Terraform	High	Observability	CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)	Documentation
CloudWatch Console Sign-in Without MFA Alarm Missing ^{_{44ceb4fa-0897-4fd2-b676-30e7a58f2933}}	Terraform	High	Observability	Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)	Documentation
CloudWatch IAM Policy Changes Alarm Missing ^{_{eaaba502-2f94-411a-a3c2-83d63cc1776d}}	Terraform	High	Observability	Ensure a log metric filter and alarm exist for IAM policy changes (read more)	Documentation
CMK Rotation Disabled ^{_{22fbfeac-7b5a-421a-8a27-7a2178bb910b}}	Terraform	High	Observability	Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)	Documentation
CloudWatch Root Account Use Missing ^{_{8b1b1e67-6248-4dca-bbad-93486bb181c0}}	Terraform	High	Observability	Ensure a log metric filter and alarm exist for root acount usage (read more)	Documentation
CloudTrail Log Files S3 Bucket with Logging Disabled ^{_{ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4}}	Terraform	High	Observability	CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)	Documentation
CloudWatch Unauthorized Access Alarm Missing ^{_{4c18a45b-4ab1-4790-9f83-399ac695f1e5}}	Terraform	High	Observability	Ensure a log metric filter and alarm exist for unauthorized API calls (read more)	Documentation
KMS Key With No Deletion Window ^{_{0b530315-0ea4-497f-b34c-4ff86268f59d}}	Terraform	High	Observability	AWS KMS Key should have a valid deletion window (read more)	Documentation
User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' ^{_{43a41523-386a-4cb1-becb-42af6b414433}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:PutUserPolicy' ^{_{60263b4a-6801-4587-911d-919c37ed733b}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:PutGroupPolicy' ^{_{d6047119-a0b2-4b59-a4f2-127a36fb685b}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Elasticsearch Without IAM Authentication ^{_{e7530c3c-b7cf-4149-8db9-d037a0b5268e}}	Terraform	Medium	Access Control	AWS Elasticsearch should ensure IAM Authentication (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:PutRolePolicy' ^{_{c0c1e744-0f37-445e-924a-1846f0839f69}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' ^{_{30b88745-eebe-4ecb-a3a9-5cf886e96204}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' ^{_{f906113d-cdc0-415a-ba60-609cc6daaf4d}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:PutGroupPolicy' ^{_{8bfbf7ab-d5e8-4100-8618-798956e101e0}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously ^{_{5ea624e4-c8b1-4bb3-87a4-4235a776adcc}}	Terraform	Medium	Access Control	SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)	Documentation
SQS Policy With Public Access ^{_{730675f9-52ed-49b6-8ead-0acb5dd7df7f}}	Terraform	Medium	Access Control	Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)	Documentation
User With Privilege Escalation By Actions 'iam:CreateAccessKey' ^{_{113208f2-a886-4526-9ecc-f3218600e12c}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:AddUserToGroup' ^{_{b8a31292-509d-4b61-bc40-13b167db7e9c}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' ^{_{f465fff1-0a0f-457d-aa4d-1bddb6f204ff}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' ^{_{0a592060-8166-49f5-8e65-99ac6dce9871}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' ^{_{15e6ad8c-f420-49a6-bafb-074f5eb1ec74}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
SQS Policy Allows All Actions ^{_{816ea8cf-d589-442d-a917-2dd0ce0e45e3}}	Terraform	Medium	Access Control	SQS policy allows ALL (*) actions (read more)	Documentation
User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' ^{_{89561b03-cb35-44a9-a7e9-8356e71606f4}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' ^{_{c583f0f9-7dfd-476b-a056-f47c62b47b46}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' ^{_{b69247e5-7e73-464e-ba74-ec9b715c6e12}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' ^{_{04c686f1-e0cd-4812-88e1-4e038410074c}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' ^{_{78f1ec6f-5659-41ea-bd48-d0a142dce4f2}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:AttachUserPolicy' ^{_{7c96920c-6fd0-449d-9a52-0aa431b6beaf}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
SSO Permission With Inadequate User Session Duration ^{_{ce9dfce0-5fc8-433b-944a-3b16153111a8}}	Terraform	Medium	Access Control	SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:CreateLoginProfile' ^{_{0fd7d920-4711-46bd-aff2-d307d82cd8b7}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:CreateAccessKey' ^{_{5b4d4aee-ac94-4810-9611-833636e5916d}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' ^{_{3dd96caa-0b5f-4a85-b929-acfac4646cc2}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
CloudWatch Logs Destination With Vulnerable Policy ^{_{db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8}}	Terraform	Medium	Access Control	CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)	Documentation
IAM Role Policy passRole Allows All ^{_{e39bee8c-fe54-4a3f-824d-e5e2d1cca40a}}	Terraform	Medium	Access Control	Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ^{_{ad296c0d-8131-4d6b-b030-1b0e73a99ad3}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' ^{_{db78d14b-10e5-4e6e-84b1-dace6327b1ec}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' ^{_{19ffbe31-9d72-4379-9768-431195eae328}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' ^{_{70b42736-efee-4bce-80d5-50358ed94990}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ^{_{6deb34e2-5d9c-499a-801b-ea6d9eda894f}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ^{_{1743f5f1-0bb0-4934-acef-c80baa5dadfa}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' ^{_{7d544dad-8a6c-431c-84c1-5f07fe9afc0e}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' ^{_{eda48c88-2b7d-4e34-b6ca-04c0194aee17}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' ^{_{fa62ac4f-f5b9-45b9-97c1-625c8b6253ca}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' ^{_{034d0aee-620f-4bf7-b7fb-efdf661fdb9e}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Public Lambda via API Gateway ^{_{3ef8696c-e4ae-4872-92c7-520bb44dfe77}}	Terraform	Medium	Access Control	Allowing to run lambda function using public API Gateway (read more)	Documentation
Lambda Permission Principal Is Wildcard ^{_{e08ed7eb-f3ef-494d-9d22-2e3db756a347}}	Terraform	Medium	Access Control	Lambda Permission Principal should not contain a wildcard. (read more)	Documentation
IAM Access Key Is Exposed ^{_{7081f85c-b94d-40fd-8b45-a4f1cac75e46}}	Terraform	Medium	Access Control	IAM Access Key should not be active for root users (read more)	Documentation
IAM Policies Attached To User ^{_{b4378389-a9aa-44ee-91e7-ef183f11079e}}	Terraform	Medium	Access Control	IAM policies should be attached only to groups or roles (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:CreateAccessKey' ^{_{846646e3-2af1-428c-ac5d-271eccfa6faf}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' ^{_{9b877bd8-94b4-4c10-a060-8e0436cc09fa}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' ^{_{118281d0-6471-422e-a7c5-051bc667926e}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
API Gateway Without Configured Authorizer ^{_{0a96ce49-4163-4ee6-8169-eb3b0797d694}}	Terraform	Medium	Access Control	API Gateway REST API should have an API Gateway Authorizer (read more)	Documentation
Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' ^{_{8f3c16b3-354d-45db-8ad5-5066778a9485}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' ^{_{9a205ba3-0dd1-42eb-8d54-2ffec836b51a}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:PutUserPolicy' ^{_{8f75840d-9ee7-42f3-b203-b40e3979eb12}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Secrets Manager With Vulnerable Policy ^{_{fa00ce45-386d-4718-8392-fb485e1f3c5b}}	Terraform	Medium	Access Control	Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)	Documentation
User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' ^{_{8055dec2-efb8-4fe6-8837-d9bed6ff202a}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' ^{_{571254d8-aa6a-432e-9725-535d3ef04d69}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Neptune Cluster With IAM Database Authentication Disabled ^{_{c91d7ea0-d4d1-403b-8fe1-c9961ac082c5}}	Terraform	Medium	Access Control	Neptune Cluster should have IAM Database Authentication enabled (read more)	Documentation
User With Privilege Escalation By Actions 'iam:PutUserPolicy' ^{_{0c10d7da-85c4-4d62-b2a8-d6c104f1bd77}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' ^{_{6d23d87e-1c5b-4308-b224-92624300f29b}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ^{_{ec49cbfd-fae4-45f3-81b1-860526d66e3f}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' ^{_{7782d4b3-e23e-432b-9742-d9528432e771}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:PutRolePolicy' ^{_{eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
AMI Shared With Multiple Accounts ^{_{ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698}}	Terraform	Medium	Access Control	Limits access to AWS AMIs by checking if more than one account is using the same image (read more)	Documentation
Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' ^{_{be2aa235-bd93-4b68-978a-1cc65d49082f}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
REST API With Vulnerable Policy ^{_{b161c11b-a59b-4431-9a29-4e19f63e6b27}}	Terraform	Medium	Access Control	REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ^{_{ee49557d-750c-4cc1-aa95-94ab36cbefde}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' ^{_{94fbe150-27e3-4eba-9ca6-af32865e4503}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA ^{_{09c35abf-5852-4622-ac7a-b987b331232e}}	Terraform	Medium	Access Control	Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ^{_{35ccf766-0e4d-41ed-9ec4-2dab155082b4}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' ^{_{f1173d8c-3264-4148-9fdb-61181e031b51}}	Terraform	Medium	Access Control	Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:PutRolePolicy' ^{_{eeb4d37a-3c59-4789-a00c-1509bc3af1e5}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:AddUserToGroup' ^{_{bf9d42c7-c2f9-4dfe-942c-c8cc8249a081}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Public and Private EC2 Share Role ^{_{c53c7a89-f9d7-4c7b-8b66-8a555be99593}}	Terraform	Medium	Access Control	Public and private EC2 istances should not share the same role. (read more)	Documentation
S3 Bucket Allows Public ACL ^{_{d0cc8694-fcad-43ff-ac86-32331d7e867f}}	Terraform	Medium	Access Control	S3 bucket allows public ACL (read more)	Documentation
User With Privilege Escalation By Actions 'iam:AttachUserPolicy' ^{_{70cb518c-d990-46f6-bc05-44a5041493d6}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Certificate Has Expired ^{_{c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6}}	Terraform	Medium	Access Control	Expired SSL/TLS certificates should be removed (read more)	Documentation
Policy Without Principal ^{_{bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54}}	Terraform	Medium	Access Control	All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)	Documentation
IAM User With Access To Console ^{_{9ec311bf-dfd9-421f-8498-0b063c8bc552}}	Terraform	Medium	Access Control	AWS IAM Users should not have access to console (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:AddUserToGroup' ^{_{970ed7a2-0aca-4425-acf1-0453c9ecbca1}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
ECR Repository Is Publicly Accessible ^{_{e86e26fc-489e-44f0-9bcd-97305e4ba69a}}	Terraform	Medium	Access Control	Amazon ECR image repositories shouldn't have public access (read more)	Documentation
Glue With Vulnerable Policy ^{_{d25edb51-07fb-4a73-97d4-41cecdc53a22}}	Terraform	Medium	Access Control	Glue policy should avoid wildcard in 'principals' and 'actions' (read more)	Documentation
User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' ^{_{33627268-1445-4385-988a-318fd9d1a512}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'iam:PutGroupPolicy' ^{_{e77c89f6-9c85-49ea-b95b-5f960fe5be92}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' ^{_{9b0ffadc-a61f-4c2a-b1e6-68fab60f6267}}	Terraform	Medium	Access Control	Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
Lambda With Vulnerable Policy ^{_{ad9dabc7-7839-4bae-a957-aa9120013f39}}	Terraform	Medium	Access Control	The attribute 'action' should not have wildcard (read more)	Documentation
Elasticsearch Domain With Vulnerable Policy ^{_{16c4216a-50d3-4785-bfb2-4adb5144a8ba}}	Terraform	Medium	Access Control	Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)	Documentation
SES Policy With Allowed IAM Actions ^{_{34b921bd-90a0-402e-a0a5-dc73371fd963}}	Terraform	Medium	Access Control	SES policy should not allow IAM actions to all principals (read more)	Documentation
API Gateway Method Does Not Contains An API Key ^{_{671211c5-5d2a-4e97-8867-30fc28b02216}}	Terraform	Medium	Access Control	An API Key should be required on a method request. (read more)	Documentation
User With Privilege Escalation By Actions 'iam:AttachRolePolicy' ^{_{e227091e-2228-4b40-b046-fc13650d8e88}}	Terraform	Medium	Access Control	User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)	Documentation
ElastiCache Nodes Not Created Across Multi AZ ^{_{6db03a91-f933-4f13-ab38-a8b87a7de54d}}	Terraform	Medium	Availability	ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)	Documentation
CMK Is Unusable ^{_{7350fa23-dcf7-4938-916d-6a60b0c73b50}}	Terraform	Medium	Availability	AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)	Documentation
ECS Service Without Running Tasks ^{_{91f16d09-689e-4926-aca7-155157f634ed}}	Terraform	Medium	Availability	ECS Service should have at least 1 task running (read more)	Documentation
Auto Scaling Group With No Associated ELB ^{_{8e94dced-9bcc-4203-8eb7-7e41202b2505}}	Terraform	Medium	Availability	AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)	Documentation
ElastiCache Redis Cluster Without Backup ^{_{8fdb08a0-a868-4fdf-9c27-ccab0237f1ab}}	Terraform	Medium	Backup	ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)	Documentation
RDS With Backup Disabled ^{_{1dc73fb4-5b51-430c-8c5f-25dcf9090b02}}	Terraform	Medium	Backup	Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)	Documentation
Stack Retention Disabled ^{_{6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97}}	Terraform	Medium	Backup	Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)	Documentation
IAM Password Without Lowercase Letter ^{_{bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9}}	Terraform	Medium	Best Practices	IAM Password should have at least one lowercase letter (read more)	Documentation
IAM Password Without Minimum Length ^{_{1bc1c685-e593-450e-88fb-19db4c82aa1d}}	Terraform	Medium	Best Practices	IAM password should have the required minimum length (read more)	Documentation
Cognito UserPool Without MFA ^{_{ec28bf61-a474-4dbe-b414-6dd3a067d6f0}}	Terraform	Medium	Best Practices	AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)	Documentation
IAM Password Without Symbol ^{_{7a70eed6-de3a-4da2-94da-a2bbc8fe2a48}}	Terraform	Medium	Best Practices	IAM password should have the required symbols (read more)	Documentation
Password Without Reuse Prevention ^{_{89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a}}	Terraform	Medium	Best Practices	Check if IAM account password has the reuse password configured with 24 (read more)	Documentation
IAM Password Without Uppercase Letter ^{_{c5ff7bc9-d8ea-46dd-81cb-8286f3222249}}	Terraform	Medium	Best Practices	IAM password should have at least one uppercase letter (read more)	Documentation
RDS Cluster With Backup Disabled ^{_{e542bd46-58c4-4e0f-a52a-1fb4f9548e02}}	Terraform	Medium	Best Practices	RDS Cluster backup retention period should be specifically defined (read more)	Documentation
ALB Not Dropping Invalid Headers ^{_{6e3fd2ed-5c83-4c68-9679-7700d224d379}}	Terraform	Medium	Best Practices	It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)	Documentation
Misconfigured Password Policy Expiration ^{_{ce60d060-efb8-4bfd-9cf7-ff8945d00d90}}	Terraform	Medium	Best Practices	No password expiration policy (read more)	Documentation
Stack Without Template ^{_{91bea7b8-0c31-4863-adc9-93f6177266c4}}	Terraform	Medium	Build Process	AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)	Documentation
ElasticSearch Not Encrypted At Rest ^{_{24e16922-4330-4e9d-be8a-caa90299466a}}	Terraform	Medium	Encryption	Check if ElasticSearch encryption is disabled at Rest (read more)	Documentation
Secretsmanager Secret Without KMS ^{_{a2f548f2-188c-4fff-b172-e9a6acb216bd}}	Terraform	Medium	Encryption	AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)	Documentation
SNS Topic Encrypted With AWS Managed Key ^{_{b1a72f66-2236-4f3b-87ba-0da1b366956f}}	Terraform	Medium	Encryption	SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)	Documentation
SSM Session Transit Encryption Disabled ^{_{ce60cc6b-6831-4bd7-84a2-cc7f8ee71433}}	Terraform	Medium	Encryption	SSM Session should be encrypted in transit (read more)	Documentation
DynamoDB Table Not Encrypted ^{_{ce089fd4-1406-47bd-8aad-c259772bb294}}	Terraform	Medium	Encryption	AWS DynamoDB Tables should have server-side encryption (read more)	Documentation
Unscanned ECR Image ^{_{9630336b-3fed-4096-8173-b9afdfe346a7}}	Terraform	Medium	Encryption	Checks if the ECR Image has been scanned (read more)	Documentation
Elasticsearch Domain Not Encrypted Node To Node ^{_{967eb3e6-26fc-497d-8895-6428beb6e8e2}}	Terraform	Medium	Encryption	Elasticsearch Domain encryption should be enabled node to node (read more)	Documentation
SNS Topic Not Encrypted ^{_{28545147-2fc6-42d5-a1f9-cf226658e591}}	Terraform	Medium	Encryption	SNS (Simple Notification Service) Topic should be encrypted (read more)	Documentation
ElastiCache Replication Group Not Encrypted At Rest ^{_{76976de7-c7b1-4f64-a94f-90c1345914c2}}	Terraform	Medium	Encryption	ElastiCache Replication Group encryption should be enabled at Rest (read more)	Documentation
Redis Disabled ^{_{4bd15dd9-8d5e-4008-8532-27eb0c3706d3}}	Terraform	Medium	Encryption	ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)	Documentation
Config Rule For Encrypted Volumes Disabled ^{_{abdb29d4-5ca1-4e91-800b-b3569bbd788c}}	Terraform	Medium	Encryption	Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)	Documentation
AmazonMQ Broker Encryption Disabled ^{_{3db3f534-e3a3-487f-88c7-0a9fbf64b702}}	Terraform	Medium	Encryption	AmazonMQ Broker should have Encryption Options defined (read more)	Documentation
CloudWatch Log Group Without KMS ^{_{0afbcfe9-d341-4b92-a64c-7e6de0543879}}	Terraform	Medium	Encryption	AWS CloudWatch Log groups should be encrypted using KMS (read more)	Documentation
SQS With SSE Disabled ^{_{6e8849c1-3aa7-40e3-9063-b85ee300f29f}}	Terraform	Medium	Encryption	Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)	Documentation
EBS Volume Encryption Disabled ^{_{cc997676-481b-4e93-aa81-d19f8c5e9b12}}	Terraform	Medium	Encryption	EBS volumes should be encrypted (read more)	Documentation
S3 Bucket Policy Accepts HTTP Requests ^{_{4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9}}	Terraform	Medium	Encryption	S3 Bucket policy should not accept HTTP Requests (read more)	Documentation
Secretsmanager Secret Encrypted With AWS Managed Key ^{_{b0d3ef3f-845d-4b1b-83d6-63a5a380375f}}	Terraform	Medium	Encryption	Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)	Documentation
API Gateway With Invalid Compression ^{_{ed35928e-195c-4405-a252-98ccb664ab7b}}	Terraform	Medium	Encryption	API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)	Documentation
ElasticSearch Encryption With KMS Disabled ^{_{7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2}}	Terraform	Medium	Encryption	Check if any ElasticSearch domain isn't encrypted with KMS. (read more)	Documentation
DOCDB Cluster Encrypted With AWS Managed Key ^{_{2134641d-30a4-4b16-8ffc-2cd4c4ffd15d}}	Terraform	Medium	Encryption	DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)	Documentation
Neptune Database Cluster Encryption Disabled ^{_{98d59056-f745-4ef5-8613-32bca8d40b7e}}	Terraform	Medium	Encryption	Neptune database cluster storage should have encryption enabled (read more)	Documentation
ElastiCache Replication Group Not Encrypted At Transit ^{_{1afbb3fa-cf6c-4a3d-b730-95e9f4df343e}}	Terraform	Medium	Encryption	ElastiCache Replication Group encryption should be enabled at Transit (read more)	Documentation
IAM User Has Too Many Access Keys ^{_{3561130e-9c5f-485b-9e16-2764c82763e5}}	Terraform	Medium	Insecure Configurations	Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)	Documentation
API Gateway Without SSL Certificate ^{_{0b4869fc-a842-4597-aa00-1294df425440}}	Terraform	Medium	Insecure Configurations	SSL Client Certificate should be enabled (read more)	Documentation
API Gateway With Open Access ^{_{15ccec05-5476-4890-ad19-53991eba1db8}}	Terraform	Medium	Insecure Configurations	API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)	Documentation
EKS Cluster Has Public Access ^{_{42f4b905-3736-4213-bfe9-c0660518cda8}}	Terraform	Medium	Insecure Configurations	Amazon EKS public endpoint shoud be set to false (read more)	Documentation
ECR Image Tag Not Immutable ^{_{d1846b12-20c5-4d45-8798-fc35b79268eb}}	Terraform	Medium	Insecure Configurations	ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)	Documentation
Instance With No VPC ^{_{a31a5a29-718a-4ff4-8001-a69e5e4d029e}}	Terraform	Medium	Insecure Configurations	EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)	Documentation
Certificate RSA Key Bytes Lower Than 256 ^{_{874d68a3-bfbe-4a4b-aaa0-9e74d7da634b}}	Terraform	Medium	Insecure Configurations	The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)	Documentation
AWS Password Policy With Unchangeable Passwords ^{_{9ef7d25d-9764-4224-9968-fa321c56ef76}}	Terraform	Medium	Insecure Configurations	Unchangeable passwords in AWS password policy (read more)	Documentation
Service Control Policies Disabled ^{_{5ba6229c-8057-433e-91d0-21cf13569ca9}}	Terraform	Medium	Insecure Configurations	Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)	Documentation
Redshift Cluster Without VPC ^{_{0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3}}	Terraform	Medium	Insecure Configurations	Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)	Documentation
MQ Broker Is Publicly Accessible ^{_{4eb5f791-c861-4afd-9f94-f2a6a3fe49cb}}	Terraform	Medium	Insecure Configurations	Check if any MQ Broker is not publicly accessible (read more)	Documentation
Dynamodb VPC Endpoint Without Route Table Association ^{_{0bc534c5-13d1-4353-a7fe-b8665d5c1d7d}}	Terraform	Medium	Networking and Firewall	Dynamodb VPC Endpoint should be associated with Route Table Association (read more)	Documentation
VPC Without Network Firewall ^{_{fd632aaf-b8a1-424d-a4d1-0de22fd3247a}}	Terraform	Medium	Networking and Firewall	VPC should have a Network Firewall associated (read more)	Documentation
API Gateway Endpoint Config is Not Private ^{_{6b2739db-9c49-4db7-b980-7816e0c248c1}}	Terraform	Medium	Networking and Firewall	The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)	Documentation
API Gateway without WAF ^{_{a186e82c-1078-4a7b-85d8-579561fde884}}	Terraform	Medium	Networking and Firewall	API Gateway should have WAF (Web Application Firewall) enabled (read more)	Documentation
SQS VPC Endpoint Without DNS Resolution ^{_{e9b7acf9-9ba0-4837-a744-31e7df1e434d}}	Terraform	Medium	Networking and Firewall	SQS VPC Endpoint should have DNS resolution enabled (read more)	Documentation
VPC Subnet Assigns Public IP ^{_{52f04a44-6bfa-4c41-b1d3-4ae99a2de05c}}	Terraform	Medium	Networking and Firewall	VPC Subnet should not assign public IP (read more)	Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible ^{_{54c417bf-c762-48b9-9d31-b3d87047e3f0}}	Terraform	Medium	Networking and Firewall	Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)	Documentation
Sensitive Port Is Exposed To Small Public Network ^{_{e35c16a2-d54e-419d-8546-a804d8e024d0}}	Terraform	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)	Documentation
Sensitive Port Is Exposed To Wide Private Network ^{_{92fe237e-074c-4262-81a4-2077acb928c1}}	Terraform	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)	Documentation
ALB Is Not Integrated With WAF ^{_{0afa6ab8-a047-48cf-be07-93a2f8c34cf7}}	Terraform	Medium	Networking and Firewall	All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)	Documentation
API Gateway X-Ray Disabled ^{_{5813ef56-fa94-406a-b35d-977d4a56ff2b}}	Terraform	Medium	Observability	API Gateway should have X-Ray Tracing enabled (read more)	Documentation
Redshift Cluster Logging Disabled ^{_{15ffbacc-fa42-4f6f-a57d-2feac7365caa}}	Terraform	Medium	Observability	Make sure Logging is enabled for Redshift Cluster (read more)	Documentation
API Gateway With CloudWatch Logging Disabled ^{_{982aa526-6970-4c59-8b9b-2ce7e019fe36}}	Terraform	Medium	Observability	AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)	Documentation
CloudWatch Metrics Disabled ^{_{081069cb-588b-4ce1-884c-2a1ce3029fe5}}	Terraform	Medium	Observability	Checks if CloudWatch Metrics is Enabled (read more)	Documentation
S3 Bucket Without Versioning ^{_{568a4d22-3517-44a6-a7ad-6a7eed88722c}}	Terraform	Medium	Observability	S3 bucket should have versioning enabled (read more)	Documentation
Configuration Aggregator to All Regions Disabled ^{_{ac5a0bc0-a54c-45aa-90c3-15f7703b9132}}	Terraform	Medium	Observability	AWS Config Configuration Aggregator All Regions must be set to True (read more)	Documentation
S3 Bucket Object Level CloudTrail Logging Disabled ^{_{a8fc2180-b3ac-4c93-bd0d-a55b974e4b07}}	Terraform	Medium	Observability	S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)	Documentation
ElasticSearch Without Slow Logs ^{_{e979fcbc-df6c-422d-9458-c33d65e71c45}}	Terraform	Medium	Observability	Ensure that AWS Elasticsearch enables support for slow logs (read more)	Documentation
S3 Bucket Logging Disabled ^{_{f861041c-8c9f-4156-acfc-5e6e524f5884}}	Terraform	Medium	Observability	Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)	Documentation
ELB Access Log Disabled ^{_{20018359-6fd7-4d05-ab26-d4dffccbdf79}}	Terraform	Medium	Observability	ELB should have logging enabled to help on error investigation (read more)	Documentation
CloudWatch AWS Organizations Changes Missing Alarm ^{_{38b85c45-e772-4de8-a247-69619ca137b3}}	Terraform	Medium	Observability	Ensure a log metric filter and alarm exist for AWS organizations changes (read more)	Documentation
API Gateway Deployment Without Access Log Setting ^{_{625abc0e-f980-4ac9-a775-f7519ee34296}}	Terraform	Medium	Observability	API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)	Documentation
CloudWatch Logging Disabled ^{_{7dbba512-e244-42dc-98bb-422339827967}}	Terraform	Medium	Observability	Check if CloudWatch logging is disabled for Route53 hosted zones (read more)	Documentation
GuardDuty Detector Disabled ^{_{704dadd3-54fc-48ac-b6a0-02f170011473}}	Terraform	Medium	Observability	Make sure that Amazon GuardDuty is Enabled (read more)	Documentation
CloudFront Logging Disabled ^{_{94690d79-b3b0-43de-b656-84ebef5753e5}}	Terraform	Medium	Observability	AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)	Documentation
API Gateway Access Logging Disabled ^{_{1b6799eb-4a7a-4b04-9001-8cceb9999326}}	Terraform	Medium	Observability	API Gateway should have Access Log Settings defined (read more)	Documentation
Cloudwatch Security Group Changes Alarm Missing ^{_{4beaf898-9f8b-4237-89e2-5ffdc7ee6006}}	Terraform	Medium	Observability	Ensure a log metric filter and alarm exist for security group changes (read more)	Documentation
Default VPC Exists ^{_{96ed3526-0179-4c73-b1b2-372fde2e0d13}}	Terraform	Medium	Observability	It isn't recommended to use resources in default VPC (read more)	Documentation
CloudWatch Management Console Auth Failed Alarm Missing ^{_{5864d189-ee9a-4009-ac0c-8a582e6b7919}}	Terraform	Medium	Observability	Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)	Documentation
MQ Broker Logging Disabled ^{_{31245f98-a6a9-4182-9fc1-45482b9d030a}}	Terraform	Medium	Observability	Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)	Documentation
CloudTrail Multi Region Disabled ^{_{8173d5eb-96b5-4aa6-a71b-ecfa153c123d}}	Terraform	Medium	Observability	CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)	Documentation
CloudWatch Without Retention Period Specified ^{_{ef0b316a-211e-42f1-888e-64efe172b755}}	Terraform	Medium	Observability	AWS CloudWatch Log groups should have retention days specified (read more)	Documentation
CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing ^{_{56a585f5-555c-48b2-8395-e64e4740a9cf}}	Terraform	Medium	Observability	Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)	Documentation
Stack Notifications Disabled ^{_{b72d0026-f649-4c91-a9ea-15d8f681ac09}}	Terraform	Medium	Observability	AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)	Documentation
Cloudwatch Cloudtrail Configuration Changes Alarm Missing ^{_{0f6cbf69-41bb-47dc-93f3-3844640bf480}}	Terraform	Medium	Observability	Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)	Documentation
MSK Cluster Logging Disabled ^{_{2f56b7ab-7fba-4e93-82f0-247e5ddeb239}}	Terraform	Medium	Observability	Ensure MSK Cluster Logging is enabled (read more)	Documentation
CloudTrail Not Integrated With CloudWatch ^{_{17b30f8f-8dfb-4597-adf6-57600b6cf25e}}	Terraform	Medium	Observability	CloudTrail should be integrated with CloudWatch (read more)	Documentation
CloudWatch S3 policy Change Alarm Missing ^{_{27c6a499-895a-4dc7-9617-5c485218db13}}	Terraform	Medium	Observability	Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)	Documentation
CloudTrail SNS Topic Name Undefined ^{_{482b7d26-0bdb-4b5f-bf6f-545826c0a3dd}}	Terraform	Medium	Observability	Check if SNS topic name is set for CloudTrail (read more)	Documentation
Elasticsearch Log Disabled ^{_{acb6b4e2-a086-4f35-aefd-4db6ea51ada2}}	Terraform	Medium	Observability	AWS Elasticsearch should have logs enabled (read more)	Documentation
No Stack Policy ^{_{2f01fb2d-828a-499d-b98e-b83747305052}}	Terraform	Medium	Resource Management	AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)	Documentation
Hardcoded AWS Access Key ^{_{d7b9d850-3e06-4a75-852f-c46c2e92240b}}	Terraform	Medium	Secret Management	AWS Access Key should not be hardcoded (read more)	Documentation
Hardcoded AWS Access Key In Lambda ^{_{1402afd8-a95c-4e84-8b0b-6fb43758e6ce}}	Terraform	Medium	Secret Management	Lambda access/secret keys should not be hardcoded (read more)	Documentation
IAM Group Without Users ^{_{fc101ca7-c9dd-4198-a1eb-0fbe92e80044}}	Terraform	Low	Access Control	IAM Group should have at least one user associated (read more)	Documentation
EC2 Instance Using API Keys ^{_{0b93729a-d882-4803-bdc3-ac429a21f158}}	Terraform	Low	Access Control	EC2 instances should use roles to be granted access to other AWS services (read more)	Documentation
S3 Bucket Public ACL Overridden By Public Access Block ^{_{bf878b1a-7418-4de3-b13c-3a86cf894920}}	Terraform	Low	Access Control	S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)	Documentation
SSO Identity User Unsafe Creation ^{_{4003118b-046b-4640-b200-b8c7a4c8b89f}}	Terraform	Low	Access Control	The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)	Documentation
IAM Role Allows All Principals To Assume ^{_{12b7e704-37f0-4d1e-911a-44bf60c48c21}}	Terraform	Low	Access Control	IAM role allows all services or principals to assume it (read more)	Documentation
EC2 Instance Using Default Security Group ^{_{f1adc521-f79a-4d71-b55b-a68294687432}}	Terraform	Low	Access Control	EC2 instances should not use default security group(s) (read more)	Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services ^{_{bcdcbdc6-a350-4855-ae7c-d1e6436f7c97}}	Terraform	Low	Access Control	IAM Policy should not grant 'AssumeRole' permission across all services. (read more)	Documentation
Autoscaling Groups Supply Tags ^{_{ba48df05-eaa1-4d64-905e-4a4b051e7587}}	Terraform	Low	Availability	Autoscaling groups should supply tags to configurate (read more)	Documentation
CDN Configuration Is Missing ^{_{1bc367f6-901d-4870-ad0c-71d79762ef52}}	Terraform	Low	Best Practices	Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)	Documentation
Lambda IAM InvokeFunction Misconfigured ^{_{0ca1017d-3b80-423e-bb9c-6cd5898d34bd}}	Terraform	Low	Best Practices	Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)	Documentation
ECR Repository Without Policy ^{_{69e7c320-b65d-41bb-be02-d63ecc0bcc9d}}	Terraform	Low	Best Practices	ECR Repository should have Policies attached to it (read more)	Documentation
Automatic Minor Upgrades Disabled ^{_{3b6d777b-76e3-4133-80a3-0d6f667ade7f}}	Terraform	Low	Best Practices	RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)	Documentation
Lambda Permission Misconfigured ^{_{75ec6890-83af-4bf1-9f16-e83726df0bd0}}	Terraform	Low	Best Practices	Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)	Documentation
IAM Access Analyzer Not Enabled ^{_{e592a0c5-5bdb-414c-9066-5dba7cdea370}}	Terraform	Low	Best Practices	IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)	Documentation
ECR Repository Not Encrypted With CMK ^{_{0e32d561-4b5a-4664-a6e3-a3fa85649157}}	Terraform	Low	Encryption	ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)	Documentation
CloudTrail Log Files Not Encrypted With KMS ^{_{5d9e3164-9265-470c-9a10-57ae454ac0c7}}	Terraform	Low	Encryption	Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)	Documentation
S3 Bucket Without Ignore Public ACL ^{_{4fa66806-0dd9-4f8d-9480-3174d39c7c91}}	Terraform	Low	Insecure Configurations	S3 bucket without ignore public ACL (read more)	Documentation
ALB Deletion Protection Disabled ^{_{afecd1f1-6378-4f7e-bb3b-60c35801fdd4}}	Terraform	Low	Insecure Configurations	Application Load Balancer should have deletion protection enabled (read more)	Documentation
Shield Advanced Not In Use ^{_{084c6686-2a70-4710-91b1-000393e54c12}}	Terraform	Low	Networking and Firewall	AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)	Documentation
EC2 Instance Using Default VPC ^{_{7e4a6e76-568d-43ef-8c4e-36dea481bff1}}	Terraform	Low	Networking and Firewall	EC2 Instances should not be configured under a default VPC network (read more)	Documentation
Redshift Using Default Port ^{_{41abc6cc-dde1-4217-83d3-fb5f0cc09d8f}}	Terraform	Low	Networking and Firewall	Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)	Documentation
RDS Using Default Port ^{_{bca7cc4d-b3a4-4345-9461-eb69c68fcd26}}	Terraform	Low	Networking and Firewall	RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)	Documentation
ElastiCache Using Default Port ^{_{5d89db57-8b51-4b38-bb76-b9bd42bd40f0}}	Terraform	Low	Networking and Firewall	ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)	Documentation
CloudFront Without WAF ^{_{1419b4c6-6d5c-4534-9cf6-6a5266085333}}	Terraform	Low	Networking and Firewall	All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)	Documentation
ElastiCache Without VPC ^{_{8c849af7-a399-46f7-a34c-32d3dc96f1fc}}	Terraform	Low	Networking and Firewall	ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)	Documentation
EMR Without VPC ^{_{2b3c8a6d-9856-43e6-ab1d-d651094f03b4}}	Terraform	Low	Networking and Firewall	Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)	Documentation
CloudTrail Log File Validation Disabled ^{_{52ffcfa6-6c70-4ea6-8376-d828d3961669}}	Terraform	Low	Observability	CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)	Documentation
VPC FlowLogs Disabled ^{_{f83121ea-03da-434f-9277-9cd247ab3047}}	Terraform	Low	Observability	Every VPC resource should have an associated Flow Log (read more)	Documentation
CloudWatch Route Table Changes Alarm Missing ^{_{2285e608-ddbc-47f3-ba54-ce7121e31216}}	Terraform	Low	Observability	Ensure a log metric filter and alarm exist for route table changes (read more)	Documentation
Missing Cluster Log Types ^{_{66f130d9-b81d-4e8e-9b08-da74b9c891df}}	Terraform	Low	Observability	Amazon EKS control plane logging don't enabled for all log types (read more)	Documentation
CloudWatch Changes To NACL Alarm Missing ^{_{0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0}}	Terraform	Low	Observability	Ensure a log metric filter and alarm exist for changes to NACL (read more)	Documentation
CloudWatch AWS Config Configuration Changes Alarm Missing ^{_{5b8d7527-de8e-4114-b9dd-9d988f1f418f}}	Terraform	Low	Observability	Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)	Documentation
CloudWatch Network Gateways Changes Alarm Missing ^{_{6b6874fe-4c2f-4eea-8b90-7cceaa4a125e}}	Terraform	Low	Observability	Ensure a log metric filter and alarm exist for network gateways changes (read more)	Documentation
Lambda Functions Without X-Ray Tracing ^{_{8152e0cf-d2f0-47ad-96d5-d003a76eabd1}}	Terraform	Low	Observability	AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)	Documentation
ECS Cluster with Container Insights Disabled ^{_{97cb0688-369a-4d26-b1f7-86c4c91231bc}}	Terraform	Low	Observability	ECS Cluster should enable container insights (read more)	Documentation
CloudWatch VPC Changes Alarm Missing ^{_{9d0d4512-1959-43a2-a17f-72360ff06d1b}}	Terraform	Low	Observability	Ensure a log metric filter and alarm exist for VPC changes (read more)	Documentation
Global Accelerator Flow Logs Disabled ^{_{96e8183b-e985-457b-90cd-61c0503a3369}}	Terraform	Low	Observability	Global Accelerator should have flow logs enabled (read more)	Documentation
DocDB Logging Is Disabled ^{_{56f6a008-1b14-4af4-b9b2-ab7cf7e27641}}	Terraform	Low	Observability	DocDB logging should be enabled (read more)	Documentation
EKS cluster logging is not enabled ^{_{37304d3f-f852-40b8-ae3f-725e87a7cedf}}	Terraform	Low	Observability	Amazon EKS control plane logging is not enabled (read more)	Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated ^{_{b3a59b8e-94a3-403e-b6e2-527abaf12034}}	Terraform	Low	Observability	API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)	Documentation
API Gateway Stage Without API Gateway UsagePlan Associated ^{_{c999cf62-0920-40f8-8dda-0caccd66ed7e}}	Terraform	Low	Resource Management	API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)	Documentation
Security Group Not Used ^{_{4849211b-ac39-479e-ae78-5694d506cb24}}	Terraform	Info	Access Control	Security group must be used or not declared (read more)	Documentation
Security Group Rule Without Description ^{_{cb3f5ed6-0d18-40de-a93d-b3538db31e8c}}	Terraform	Info	Best Practices	It's considered a best practice for AWS Security Group to have a description (read more)	Documentation
DynamoDB Table Point In Time Recovery Disabled ^{_{741f1291-47ac-4a85-a07b-3d32a9d6bd3e}}	Terraform	Info	Best Practices	It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)	Documentation
Resource Not Using Tags ^{_{e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10}}	Terraform	Info	Best Practices	AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)	Documentation
EC2 Not EBS Optimized ^{_{60224630-175a-472a-9e23-133827040766}}	Terraform	Info	Best Practices	It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)	Documentation
Security Group Rule Without Description ^{_{68eb4bf3-f9bf-463d-b5cf-e029bb446d2e}}	Terraform	Info	Best Practices	It's considered a best practice for all rules in AWS Security Group to have a description (read more)	Documentation
EC2 Instance Monitoring Disabled ^{_{23b70e32-032e-4fa6-ba5c-82f56b9980e6}}	Terraform	Info	Observability	EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)	Documentation
Neptune Logging Is Disabled ^{_{45cff7b6-3b80-40c1-ba7b-2cf480678bb8}}	Terraform	Info	Observability	Neptune logging should be enabled (read more)	Documentation
RDS Without Logging ^{_{8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56}}	Terraform	Info	Observability	RDS does not have any kind of logger (read more)	Documentation
BOM - AWS MSK ^{_{051f2063-2517-4295-ad8e-ba88c1bf5cfc}}	Terraform	Trace	Bill Of Materials	A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)	Documentation
BOM - AWS RDS ^{_{12933609-c5bf-44b4-9a41-a6467c3b685b}}	Terraform	Trace	Bill Of Materials	A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)	Documentation
BOM - AWS EBS ^{_{86571149-eef3-4280-a645-01e60df854b0}}	Terraform	Trace	Bill Of Materials	A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)	Documentation
BOM - AWS S3 Buckets ^{_{2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045}}	Terraform	Trace	Bill Of Materials	A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)	Documentation
BOM - AWS Elasticache ^{_{54229498-850b-4f78-b3a7-218d24ef2c37}}	Terraform	Trace	Bill Of Materials	A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)	Documentation
BOM - AWS DynamoDB ^{_{23edf35f-7c22-4ff9-87e6-0ca74261cfbf}}	Terraform	Trace	Bill Of Materials	A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)	Documentation
BOM - AWS MQ ^{_{fcb1b388-f558-4b7f-9b6e-f4e98abb7380}}	Terraform	Trace	Bill Of Materials	A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)	Documentation
BOM - AWS SNS ^{_{eccc4d59-74b9-4974-86f1-74386e0c7f33}}	Terraform	Trace	Bill Of Materials	A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)	Documentation
BOM - AWS EFS ^{_{f53f16d6-46a9-4277-9fbe-617b1e24cdca}}	Terraform	Trace	Bill Of Materials	A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)	Documentation
BOM - AWS SQS ^{_{baecd2da-492a-4d59-b9dc-29540a1398e0}}	Terraform	Trace	Bill Of Materials	A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)	Documentation
BOM - AWS Kinesis ^{_{0e59d33e-bba2-4037-8f88-9765647ca7ad}}	Terraform	Trace	Bill Of Materials	A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)	Documentation
OSS Bucket Allows List Action From All Principals ^{_{88541597-6f88-42c8-bac6-7e0b855e8ff6}}	Terraform	High	Access Control	OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)	Documentation
OSS Bucket Allows Put Action From All Principals ^{_{fe286195-e75c-4359-bd58-00847c4f855a}}	Terraform	High	Access Control	OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)	Documentation
Ram Policy Admin Access Not Attached to Users Groups Roles ^{_{e8e62026-da63-4904-b402-65adfe3ca975}}	Terraform	High	Access Control	Ram policies with admin access should not be associated to users, groups or roles (read more)	Documentation
RAM Security Preference Not Enforce MFA Login ^{_{dcda2d32-e482-43ee-a926-75eaabeaa4e0}}	Terraform	High	Access Control	RAM Security preferences should enforce MFA login for RAM users (read more)	Documentation
OSS Bucket Allows Delete Action From All Principals ^{_{8c0695d8-2378-4cd6-8243-7fd5894fa574}}	Terraform	High	Access Control	OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)	Documentation
OSS Bucket Allows All Actions From All Principals ^{_{ec62a32c-a297-41ca-a850-cab40b42094a}}	Terraform	High	Access Control	OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)	Documentation
OSS Bucket Public Access Enabled ^{_{62232513-b16f-4010-83d7-51d0e1d45426}}	Terraform	High	Access Control	OSS Bucket should have public access disabled (read more)	Documentation
RDS Instance TDE Status Disabled ^{_{44d434ca-a9bf-4203-8828-4c81a8d5a598}}	Terraform	High	Encryption	tde_status parameter should be Enabled for supported RDS instances (read more)	Documentation
NAS File System Without KMS ^{_{5f670f9d-b1b4-4c90-8618-2288f1ab9676}}	Terraform	High	Encryption	NAS File System should have encryption provided by user KMS (read more)	Documentation
NAS File System Not Encrypted ^{_{67bfdff1-31ce-4525-b564-e94368735360}}	Terraform	High	Encryption	NAS File System must be encrypted (read more)	Documentation
Ecs Data Disk Kms Key Id Undefined ^{_{f262118c-1ac6-4bb3-8495-cc48f1775b85}}	Terraform	High	Encryption	Ecs Data Disk Kms Key Id should be set (read more)	Documentation
Launch Template Is Not Encrypted ^{_{1455cb21-1d48-46d6-8ae3-cef911b71fd5}}	Terraform	High	Encryption	ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)	Documentation
RDS DB Instance Publicly Accessible ^{_{faaefc15-51a5-419e-bb5e-51a4b5ab3485}}	Terraform	High	Insecure Configurations	The field 'address' should not be set to '0.0.0.0/0' (read more)	Documentation
OSS Bucket Has Static Website ^{_{2b13c6ff-b87a-484d-86fd-21ef6e97d426}}	Terraform	High	Insecure Configurations	Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)	Documentation
RDS DB Instance Publicly Accessible ^{_{1b4565c0-4877-49ac-ab03-adebbccd42ae}}	Terraform	High	Insecure Configurations	'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)	Documentation
OSS Buckets Secure Transport Disabled ^{_{c01d10de-c468-4790-b3a0-fc887a56f289}}	Terraform	High	Networking and Firewall	OSS Buckets should have secure transport enabled (read more)	Documentation
Public Security Group Rule Sensitive Port ^{_{2ae9d554-23fb-4065-bfd1-fe43d5f7c419}}	Terraform	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)	Documentation
RDS Instance SSL Action Disabled ^{_{7a1ee8a9-71be-4b11-bb70-efb62d16863b}}	Terraform	High	Networking and Firewall	ssl_action parameter should be set to Open for RDS instances (read more)	Documentation
API Gateway API Protocol Not HTTPS ^{_{1bcdf9f0-b1aa-40a4-b8c6-cd7785836843}}	Terraform	High	Networking and Firewall	API Gateway API protocol should be set to HTTPS (read more)	Documentation
OSS Bucket Ip Restriction Disabled ^{_{6107c530-7178-464a-88bc-df9cdd364ac8}}	Terraform	High	Networking and Firewall	OSS Bucket should have ip restricted access (read more)	Documentation
ALB Listening on HTTP ^{_{ee3b1557-9fb5-4685-a95d-93f1edf2a0d7}}	Terraform	High	Networking and Firewall	Application Load Balancer (alb) Listener should not listen on HTTP (read more)	Documentation
Public Security Group Rule All Ports or Protocols ^{_{60587dbd-6b67-432e-90f7-a8cf1892d968}}	Terraform	High	Networking and Firewall	Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)	Documentation
RDS Instance Events Not Logged ^{_{b9c524a4-fe76-4021-a6a2-cb978fb4fde1}}	Terraform	High	Observability	All RDS Instance events trackers should be 'true' (read more)	Documentation
ActionTrail Trail OSS Bucket is Publicly Accessible ^{_{69b5d7da-a5db-4db9-a42e-90b65d0efb0b}}	Terraform	High	Observability	ActionTrail Trail OSS Bucket should not be publicly accessible (read more)	Documentation
Ram Account Password Policy Not Required Minimum Length ^{_{a9dfec39-a740-4105-bbd6-721ba163c053}}	Terraform	High	Secret Management	Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)	Documentation
Ram Account Password Policy Max Login Attempts Unrecommended ^{_{e76fd7ab-7333-40c6-a2d8-ea28af4a319e}}	Terraform	High	Secret Management	Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)	Documentation
Ram Policy Attached to User ^{_{66505003-7aba-45a1-8d83-5162d5706ef5}}	Terraform	Medium	Access Control	Ram policies should not be attached to users (read more)	Documentation
CMK Is Unusable ^{_{ed6e3ba0-278f-47b6-a1f5-173576b40b7e}}	Terraform	Medium	Availability	Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)	Documentation
ROS Stack Retention Disabled ^{_{4bb06fa1-2114-4a00-b7b5-6aeab8b896f0}}	Terraform	Medium	Backup	The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)	Documentation
OSS Bucket Versioning Disabled ^{_{70919c0b-2548-4e6b-8d7a-3d84ab6dabba}}	Terraform	Medium	Backup	OSS Bucket should have versioning enabled (read more)	Documentation
ROS Stack Without Template ^{_{92d65c51-5d82-4507-a2a1-d252e9706855}}	Terraform	Medium	Build Process	Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)	Documentation
OSS Bucket Encryption Using CMK Disabled ^{_{f20e97f9-4919-43f1-9be9-f203cd339cdd}}	Terraform	Medium	Encryption	OSS Bucket should have encryption enabled using Customer Master Key (read more)	Documentation
SLB Policy With Insecure TLS Version In Use ^{_{dbfc834a-56e5-4750-b5da-73fda8e73f70}}	Terraform	Medium	Encryption	SLB Policy should not support insecure versions of TLS protocol (read more)	Documentation
Disk Encryption Disabled ^{_{39750e32-3fe9-453b-8c33-dd277acdb2cc}}	Terraform	Medium	Encryption	Disks should have encryption enabled (read more)	Documentation
CS Kubernetes Node Pool Auto Repair Disabled ^{_{81ce9394-013d-4731-8fcc-9d229b474073}}	Terraform	Medium	Insecure Configurations	Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)	Documentation
Public Security Group Rule Unknown Port ^{_{dd706080-b7a8-47dc-81fb-3e8184430ec0}}	Terraform	Medium	Networking and Firewall	A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)	Documentation
Kubernetes Cluster Without Terway as CNI Network Plugin ^{_{b9b7ada8-3868-4a35-854e-6100a2bb863d}}	Terraform	Medium	Networking and Firewall	Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)	Documentation
ROS Stack Notifications Disabled ^{_{9ef08939-ea40-489c-8851-667870b2ef50}}	Terraform	Medium	Observability	The ROS Stack Notifications should be defined and populated to receive stack related events (read more)	Documentation
Action Trail Logging For All Regions Disabled ^{_{c065b98e-1515-4991-9dca-b602bd6a2fbb}}	Terraform	Medium	Observability	Action Trail Logging for all regions should be enabled (read more)	Documentation
RDS Instance Retention Period Not Recommended ^{_{dc158941-28ce-481d-a7fa-dc80761edf46}}	Terraform	Medium	Observability	RDS Instance SQL Retention Period should be greater than 180 (read more)	Documentation
OSS Bucket Logging Disabled ^{_{05db341e-de7d-4972-a106-3e2bd5ee53e1}}	Terraform	Medium	Observability	OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)	Documentation
Log Retention Is Not Greater Than 90 Days ^{_{ed6cf6ff-9a1f-491c-9f88-e03c0807f390}}	Terraform	Medium	Observability	OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)	Documentation
No ROS Stack Policy ^{_{72ceb736-0aee-43ea-a191-3a69ab135681}}	Terraform	Medium	Resource Management	ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)	Documentation
RAM Account Password Policy Not Require at Least one Uppercase Character ^{_{5e0fb613-ba9b-44c3-88f0-b44188466bfd}}	Terraform	Medium	Secret Management	Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)	Documentation
RAM Account Password Policy Not Required Symbols ^{_{41a38329-d81b-4be4-aef4-55b2615d3282}}	Terraform	Medium	Secret Management	RAM account password security should require at least one symbol (read more)	Documentation
High KMS Key Rotation Period ^{_{cb319d87-b90f-485e-a7e7-f2408380f309}}	Terraform	Medium	Secret Management	KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)	Documentation
Ram Account Password Policy Not Required Numbers ^{_{063234c0-91c0-4ab5-bbd0-47ddb5f23786}}	Terraform	Medium	Secret Management	Ram Account Password Policy should have 'require_numbers' set to true (read more)	Documentation
Ram Account Password Policy Max Password Age Unrecommended ^{_{2bb13841-7575-439e-8e0a-cccd9ede2fa8}}	Terraform	Medium	Secret Management	Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)	Documentation
RAM Account Password Policy without Reuse Prevention ^{_{a8128dd2-89b0-464b-98e9-5d629041dfe0}}	Terraform	Medium	Secret Management	RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)	Documentation
Ram Account Password Policy Not Require At Least one Lowercase Character ^{_{89143358-cec6-49f5-9392-920c591c669c}}	Terraform	Medium	Secret Management	Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)	Documentation
OSS Bucket Transfer Acceleration Disabled ^{_{8f98334a-99aa-4d85-b72a-1399ca010413}}	Terraform	Low	Availability	OSS Bucket should have transfer acceleration enabled (read more)	Documentation
OSS Bucket Lifecycle Rule Disabled ^{_{7db8bd7e-9772-478c-9ec5-4bc202c5686f}}	Terraform	Low	Backup	OSS Bucket should have lifecycle rule enabled and set to true (read more)	Documentation
RDS Instance Log Connections Disabled ^{_{140869ea-25f2-40d4-a595-0c0da135114e}}	Terraform	Low	Observability	'log_connections' parameter should be set to ON for RDS instances (read more)	Documentation
VPC Flow Logs Disabled ^{_{d2731f3d-a992-44ed-812e-f4f1c2747d71}}	Terraform	Low	Observability	Every VPC resource should have an associated Flow Log (read more)	Documentation
RDS Instance Log Disconnections Disabled ^{_{d53f4123-f8d8-4224-8cb3-f920b151cc98}}	Terraform	Low	Observability	log_disconnections parameter should be set to ON for RDS instances (read more)	Documentation
RDS Instance Log Duration Disabled ^{_{a597e05a-c065-44e7-9cc8-742f572a504a}}	Terraform	Low	Observability	log_duration parameter should be set to ON for RDS instances (read more)	Documentation
BOM - GCP Dataflow ^{_{895ed0d9-6fec-4567-8614-d7a74b599a53}}	Terraform	Trace	Bill Of Materials	A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)	Documentation
BOM - GCP PST ^{_{4b82202a-b18e-4891-a1eb-a0989850bbb3}}	Terraform	Trace	Bill Of Materials	A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)	Documentation
BOM - GCP FI ^{_{c9d81239-c818-4869-9917-1570c62b81fd}}	Terraform	Trace	Bill Of Materials	A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)	Documentation
BOM - GCP Redis ^{_{bc75ce52-a60a-4660-b533-bce837a5019b}}	Terraform	Trace	Bill Of Materials	A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)	Documentation
BOM - GCP SB ^{_{2f06d22c-56bd-4f73-8a51-db001fcf2150}}	Terraform	Trace	Bill Of Materials	A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)	Documentation
BOM - GCP PD ^{_{dd7d70aa-a6ec-460d-b5d2-38b40253b16f}}	Terraform	Trace	Bill Of Materials	A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)	Documentation
Privilege Escalation Allowed ^{_{c878abb4-cca5-4724-92b9-289be68bd47c}}	Terraform	High	Insecure Configurations	Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)	Documentation
Cluster Allows Unsafe Sysctls ^{_{a9174d31-d526-4ad9-ace4-ce7ddbf52e03}}	Terraform	High	Insecure Configurations	A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)	Documentation
PSP Allows Containers To Share The Host Network Namespace ^{_{4950837c-0ce5-4e42-9bee-a25eae73740b}}	Terraform	High	Insecure Configurations	Check if Pod Security Policies allow containers to share the host network namespace. (read more)	Documentation
Tiller (Helm v2) Is Deployed ^{_{ca2fba76-c1a7-4afd-be67-5249f861cb0e}}	Terraform	High	Insecure Configurations	Check if Tiller is deployed. (read more)	Documentation
Not Limited Capabilities For Pod Security Policy ^{_{2acb555f-f4ad-4b1b-b984-84e6588f4b05}}	Terraform	High	Insecure Configurations	Limit capabilities for a Pod Security Policy (read more)	Documentation
Container Is Privileged ^{_{87065ef8-de9b-40d8-9753-f4a4303e27a4}}	Terraform	High	Insecure Configurations	Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)	Documentation
Role Binding To Default Service Account ^{_{3360c01e-c8c0-4812-96a2-a6329b9b7f9f}}	Terraform	High	Insecure Defaults	No role nor cluster role should bind to a default service account (read more)	Documentation
Permissive Access to Create Pods ^{_{522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba}}	Terraform	Medium	Access Control	The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)	Documentation
Non Kube System Pod With Host Mount ^{_{86a947ea-f577-4efb-a8b0-5fc00257d521}}	Terraform	Medium	Access Control	A non kube-system workload should not have hostPath mounted (read more)	Documentation
RBAC Roles with Read Secrets Permissions ^{_{826abb30-3cd5-4e0b-a93b-67729b4f7e63}}	Terraform	Medium	Access Control	Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)	Documentation
Readiness Probe Is Not Configured ^{_{8657197e-3f87-4694-892b-8144701d83c1}}	Terraform	Medium	Availability	Check if Readiness Probe is not configured. (read more)	Documentation
Root Containers Admitted ^{_{4c415497-7410-4559-90e8-f2c8ac64ee38}}	Terraform	Medium	Best Practices	Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)	Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce ^{_{26b047a9-0329-48fd-8fb7-05bbe5ba80ee}}	Terraform	Medium	Build Process	Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)	Documentation
Container Resources Limits Undefined ^{_{60af03ff-a421-45c8-b214-6741035476fa}}	Terraform	Medium	Insecure Configurations	Kubernetes container should have resource limitations defined such as CPU and memory (read more)	Documentation
Seccomp Profile Is Not Configured ^{_{455f2e0c-686d-4fcb-8b5f-3f953f12c43c}}	Terraform	Medium	Insecure Configurations	Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)	Documentation
NET_RAW Capabilities Not Being Dropped ^{_{e5587d53-a673-4a6b-b3f2-ba07ec274def}}	Terraform	Medium	Insecure Configurations	Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)	Documentation
PSP With Added Capabilities ^{_{48388bd2-7201-4dcc-b56d-e8a9efa58fad}}	Terraform	Medium	Insecure Configurations	PodSecurityPolicy should not have added capabilities (read more)	Documentation
PSP Allows Privilege Escalation ^{_{2bff9906-4e9b-4f71-9346-8ebedfdf43ef}}	Terraform	Medium	Insecure Configurations	PodSecurityPolicy should not allow privilege escalation (read more)	Documentation
Container Runs Unmasked ^{_{0ad60203-c050-4115-83b6-b94bde92541d}}	Terraform	Medium	Insecure Configurations	Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)	Documentation
Containers With Added Capabilities ^{_{fe771ff7-ba15-4f8f-ad7a-8aa232b49a28}}	Terraform	Medium	Insecure Configurations	Containers should not have extra capabilities allowed (read more)	Documentation
PSP Allows Sharing Host IPC ^{_{51bed0ac-a8ae-407a-895e-90c6cb0610ce}}	Terraform	Medium	Insecure Configurations	Pod Security Policy allows containers to share the host IPC namespace (read more)	Documentation
Ingress Controller Exposes Workload ^{_{e2c83c1f-84d7-4467-966c-ed41fd015bb9}}	Terraform	Medium	Insecure Configurations	Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)	Documentation
PSP Set To Privileged ^{_{a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9}}	Terraform	Medium	Insecure Configurations	Do not allow pod to request execution as privileged. (read more)	Documentation
Workload Mounting With Sensitive OS Directory ^{_{a737be28-37d8-4bff-aa6d-1be8aa0a0015}}	Terraform	Medium	Insecure Configurations	Workload is mounting a volume with sensitive OS Directory (read more)	Documentation
Using Default Namespace ^{_{abcb818b-5af7-4d72-aba9-6dd84956b451}}	Terraform	Medium	Insecure Configurations	The default namespace should not be used (read more)	Documentation
Default Service Account In Use ^{_{737a0dd9-0aaa-4145-8118-f01778262b8a}}	Terraform	Medium	Insecure Configurations	Default service accounts should not be actively used (read more)	Documentation
Containers With Sys Admin Capabilities ^{_{3f55386d-75cd-4e9a-ac47-167b26c04724}}	Terraform	Medium	Insecure Configurations	Containers should not have CAP_SYS_ADMIN Linux capability (read more)	Documentation
NET_RAW Capabilities Disabled for PSP ^{_{9aa32890-ac1a-45ee-81ca-5164e2098556}}	Terraform	Medium	Insecure Configurations	Containers need to have NET_RAW or All as drop capabilities (read more)	Documentation
Container Host Pid Is True ^{_{587d5d82-70cf-449b-9817-f60f9bccb88c}}	Terraform	Medium	Insecure Configurations	Minimize the admission of containers wishing to share the host process ID namespace (read more)	Documentation
Service Account Token Automount Not Disabled ^{_{a9a13d4f-f17a-491b-b074-f54bffffcb4a}}	Terraform	Medium	Insecure Defaults	Service Account Tokens are automatically mounted even if not necessary (read more)	Documentation
Service Account Name Undefined Or Empty ^{_{24b132df-5cc7-4823-8029-f898e1c50b72}}	Terraform	Medium	Insecure Defaults	A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)	Documentation
Network Policy Is Not Targeting Any Pod ^{_{b80b14c6-aaa2-4876-b651-8a48b6c32fbf}}	Terraform	Medium	Networking and Firewall	Check if any network policy is not targeting any pod. (read more)	Documentation
Service With External Load Balancer ^{_{2a52567c-abb8-4651-a038-52fa27c77aed}}	Terraform	Medium	Networking and Firewall	Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)	Documentation
Shared Host Network Namespace ^{_{ac1564a3-c324-4747-9fa1-9dfc234dace0}}	Terraform	Medium	Resource Management	Container should not share the host network namespace (read more)	Documentation
Memory Limits Not Defined ^{_{fd097ed0-7fe6-4f58-8b71-fef9f0820a21}}	Terraform	Medium	Resource Management	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)	Documentation
Volume Mount With OS Directory Write Permissions ^{_{a62a99d1-8196-432f-8f80-3c100b05d62a}}	Terraform	Medium	Resource Management	Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)	Documentation
Memory Requests Not Defined ^{_{21719347-d02b-497d-bda4-04a03c8e5b61}}	Terraform	Medium	Resource Management	Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)	Documentation
CPU Limits Not Set ^{_{5f4735ce-b9ba-4d95-a089-a37a767b716f}}	Terraform	Medium	Resource Management	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)	Documentation
CPU Requests Not Set ^{_{577ac19c-6a77-46d7-9f14-e049cdd15ec2}}	Terraform	Medium	Resource Management	CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)	Documentation
Shared Host IPC Namespace ^{_{e94d3121-c2d1-4e34-a295-139bfeb73ea3}}	Terraform	Medium	Resource Management	Container should not share the host IPC namespace (read more)	Documentation
Service Account Allows Access Secrets ^{_{07fc3413-e572-42f7-9877-5c8fc6fccfb5}}	Terraform	Medium	Secret Management	Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)	Documentation
Shared Service Account ^{_{f74b9c43-161a-4799-bc95-0b0ec81801b9}}	Terraform	Medium	Secret Management	A Service Account token is shared between workloads (read more)	Documentation
Cluster Admin Rolebinding With Superuser Permissions ^{_{17172bc2-56fb-4f17-916f-a014147706cd}}	Terraform	Low	Access Control	Ensure that the cluster-admin role is only used where required (RBAC) (read more)	Documentation
Docker Daemon Socket is Exposed to Containers ^{_{4e203a65-c8d8-49a2-b749-b124d43c9dc1}}	Terraform	Low	Access Control	Sees if Docker Daemon Socket is not exposed to Containers (read more)	Documentation
Missing App Armor Config ^{_{bd6bd46c-57db-4887-956d-d372f21291b6}}	Terraform	Low	Access Control	Containers should be configured with AppArmor for any application to reduce its potential attack (read more)	Documentation
Liveness Probe Is Not Defined ^{_{5b6d53dd-3ba3-4269-b4d7-f82e880e43c3}}	Terraform	Low	Availability	In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)	Documentation
Deployment Without PodDisruptionBudget ^{_{a05331ee-1653-45cb-91e6-13637a76e4f0}}	Terraform	Low	Availability	Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)	Documentation
HPA Targets Invalid Object ^{_{17e52ca3-ddd0-4610-9d56-ce107442e110}}	Terraform	Low	Availability	The Horizontal Pod Autoscaler must target a valid object (read more)	Documentation
StatefulSet Without Service Name ^{_{420e6360-47bb-46f6-9072-b20ed22c842d}}	Terraform	Low	Availability	StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)	Documentation
StatefulSet Without PodDisruptionBudget ^{_{7249e3b0-9231-4af3-bc5f-5daf4988ecbf}}	Terraform	Low	Availability	StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)	Documentation
No Drop Capabilities for Containers ^{_{21cef75f-289f-470e-8038-c7cee0664164}}	Terraform	Low	Best Practices	Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)	Documentation
Metadata Label Is Invalid ^{_{bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e}}	Terraform	Low	Best Practices	Check if any label in the metadata is invalid. (read more)	Documentation
StatefulSet Requests Storage ^{_{fcc2612a-1dfe-46e4-8ce6-0320959f0040}}	Terraform	Low	Build Process	A StatefulSet requests volume storage. (read more)	Documentation
Root Container Not Mounted As Read-only ^{_{d532566b-8d9d-4f3b-80bd-361fe802f9c2}}	Terraform	Low	Build Process	Check if the root container filesystem is not being mounted as read-only. (read more)	Documentation
Pod or Container Without Security Context ^{_{ad69e38a-d92e-4357-a8da-f2f29d545883}}	Terraform	Low	Insecure Configurations	A security context defines privilege and access control settings for a Pod or Container (read more)	Documentation
Image Without Digest ^{_{228c4c19-feeb-4c18-848c-800ac70fdfb7}}	Terraform	Low	Insecure Configurations	Images should be specified together with their digests to ensure integrity (read more)	Documentation
Image Pull Policy Of The Container Is Not Set To Always ^{_{aa737abf-6b1d-4aba-95aa-5c160bd7f96e}}	Terraform	Low	Insecure Configurations	Image Pull Policy of the container must be defined and set to Always (read more)	Documentation
Service Type is NodePort ^{_{5c281bf8-d9bb-47f2-b909-3f6bb11874ad}}	Terraform	Low	Networking and Firewall	Service type should not be NodePort (read more)	Documentation
Workload Host Port Not Specified ^{_{4e74cf4f-ff65-4c1a-885c-67ab608206ce}}	Terraform	Low	Networking and Firewall	Verifies if Kubernetes workload's host port is specified (read more)	Documentation
Deployment Has No PodAntiAffinity ^{_{461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3}}	Terraform	Low	Resource Management	Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)	Documentation
CronJob Deadline Not Configured ^{_{58876b44-a690-4e9f-9214-7735fa0dd15d}}	Terraform	Low	Resource Management	Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)	Documentation
Secrets As Environment Variables ^{_{6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8}}	Terraform	Low	Secret Management	Container should not use secrets as environment variables (read more)	Documentation
Invalid Image ^{_{e76cca7c-c3f9-4fc9-884c-b2831168ebd8}}	Terraform	Low	Supply-Chain	Image must be defined and not be empty or equal to latest. (read more)	Documentation
Github Organization Webhook With SSL Disabled ^{_{ce7c874e-1b88-450b-a5e4-cb76ada3c8a9}}	Terraform	Medium	Encryption	Check if insecure SSL is being used in the GitHub organization webhooks (read more)	Documentation
GitHub Repository Set To Public ^{_{15d8a7fd-465a-4d15-a868-add86552f17b}}	Terraform	Medium	Insecure Configurations	Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)	Documentation
Cloud Storage Anonymous or Publicly Accessible ^{_{a6cd52a1-3056-4910-96a5-894de9f3f3b3}}	Terraform	High	Access Control	Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)	Documentation
Cloud Storage Bucket Is Publicly Accessible ^{_{c010082c-76e0-4b91-91d9-6e8439e455dd}}	Terraform	High	Access Control	Cloud Storage Bucket is anonymously or publicly accessible (read more)	Documentation
OSLogin Disabled ^{_{32ecd6eb-0711-421f-9627-1a28d9eff217}}	Terraform	High	Access Control	Verifies that the OSLogin is enabled (read more)	Documentation
VM With Full Cloud Access ^{_{bc280331-27b9-4acb-a010-018e8098aa5d}}	Terraform	High	Access Control	A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)	Documentation
BigQuery Dataset Is Public ^{_{e576ce44-dd03-4022-a8c0-3906acca2ab4}}	Terraform	High	Access Control	BigQuery dataset is anonymously or publicly accessible (read more)	Documentation
SQL DB Instance Backup Disabled ^{_{cf3c7631-cd1e-42f3-8801-a561214a6e79}}	Terraform	High	Backup	Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)	Documentation
KMS Crypto Key is Publicly Accessible ^{_{16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5}}	Terraform	High	Encryption	KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)	Documentation
DNSSEC Using RSASHA1 ^{_{ccc3100c-0fdd-4a5e-9908-c10107291860}}	Terraform	High	Encryption	DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)	Documentation
SQL DB Instance With SSL Disabled ^{_{02474449-71aa-40a1-87ae-e14497747b00}}	Terraform	High	Encryption	Cloud SQL Database Instance should have SLL enabled (read more)	Documentation
Not Proper Email Account In Use ^{_{9356962e-4a4f-4d06-ac59-dc8008775eaa}}	Terraform	High	Insecure Configurations	Gmail accounts are being used instead of corporate credentials (read more)	Documentation
Private Cluster Disabled ^{_{6ccb85d7-0420-4907-9380-50313f80946b}}	Terraform	High	Insecure Configurations	Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)	Documentation
Cluster Labels Disabled ^{_{65c1bc7a-4835-4ac4-a2b6-13d310b0648d}}	Terraform	High	Insecure Configurations	Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)	Documentation
IP Aliasing Disabled ^{_{c606ba1d-d736-43eb-ac24-e16108f3a9e0}}	Terraform	High	Insecure Configurations	Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)	Documentation
GKE Legacy Authorization Enabled ^{_{5baa92d2-d8ee-4c75-88a4-52d9d8bb8067}}	Terraform	High	Insecure Configurations	Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)	Documentation
SQL DB Instance Publicly Accessible ^{_{b187edca-b81e-4fdc-aff4-aab57db45edb}}	Terraform	High	Insecure Configurations	Cloud SQL instances should not be publicly accessible. (read more)	Documentation
Pod Security Policy Disabled ^{_{9192e0f9-eca5-4056-9282-ae2a736a4088}}	Terraform	High	Insecure Configurations	Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)	Documentation
Legacy Client Certificate Auth Enabled ^{_{73fb21a1-b19a-45b1-b648-b47b1678681e}}	Terraform	High	Insecure Configurations	Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)	Documentation
Network Policy Disabled ^{_{11e7550e-c4b6-472e-adff-c698f157cdd7}}	Terraform	High	Insecure Configurations	Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)	Documentation
Stackdriver Logging Disabled ^{_{4c7ebcb2-eae2-461e-bc83-456ee2d4f694}}	Terraform	High	Observability	Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)	Documentation
Cloud Storage Bucket Logging Not Enabled ^{_{d6cabc3a-d57e-48c2-b341-bf3dd4f4a120}}	Terraform	High	Observability	Cloud storage bucket should have logging enabled (read more)	Documentation
Stackdriver Monitoring Disabled ^{_{30e8dfd2-3591-4d19-8d11-79e93106c93d}}	Terraform	High	Observability	Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)	Documentation
IAM Audit Not Properly Configured ^{_{89fe890f-b480-460c-8b6b-7d8b1468adb4}}	Terraform	High	Observability	Audit Logging Configuration is defective (read more)	Documentation
Cloud Storage Bucket Versioning Disabled ^{_{e7e961ac-d17e-4413-84bc-8a1fbe242944}}	Terraform	High	Observability	Cloud Storage Bucket should have versioning enabled (read more)	Documentation
Node Auto Upgrade Disabled ^{_{b139213e-7d24-49c2-8025-c18faa21ecaa}}	Terraform	High	Resource Management	Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)	Documentation
Google Project IAM Member Service Account has Token Creator or Account User Role ^{_{c68b4e6d-4e01-4ca1-b256-1e18e875785c}}	Terraform	Medium	Access Control	Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)	Documentation
Google Project IAM Member Service Account Has Admin Role ^{_{84d36481-fd63-48cb-838e-635c44806ec2}}	Terraform	Medium	Access Control	Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)	Documentation
Google Project IAM Binding Service Account has Token Creator or Account User Role ^{_{617ef6ff-711e-4bd7-94ae-e965911b1b40}}	Terraform	Medium	Access Control	Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)	Documentation
KMS Admin and CryptoKey Roles In Use ^{_{92e4464a-4139-4d57-8742-b5acc0347680}}	Terraform	Medium	Access Control	Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)	Documentation
Disk Encryption Disabled ^{_{b1d51728-7270-4991-ac2f-fc26e2695b38}}	Terraform	Medium	Encryption	VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)	Documentation
Google Compute SSL Policy Weak Cipher In Use ^{_{14a457f0-473d-4d1d-9e37-6d99b355b336}}	Terraform	Medium	Encryption	This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)	Documentation
Shielded GKE Nodes Disabled ^{_{579a0727-9c29-4d58-8195-fc5802a8bdb4}}	Terraform	Medium	Insecure Configurations	GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)	Documentation
Google Container Node Pool Auto Repair Disabled ^{_{acfdbec6-4a17-471f-b412-169d77553332}}	Terraform	Medium	Insecure Configurations	Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)	Documentation
Cloud DNS Without DNSSEC ^{_{5ef61c88-bbb4-4725-b1df-55d23c9676bb}}	Terraform	Medium	Insecure Configurations	DNSSEC must be enabled for Cloud DNS (read more)	Documentation
OSLogin Is Disabled For VM Instance ^{_{d0b4d550-c001-46c3-bbdb-d5d75d33f05f}}	Terraform	Medium	Insecure Configurations	Check if any VM instance disables OSLogin (read more)	Documentation
Google Storage Bucket Level Access Disabled ^{_{bb0db090-5509-4853-a827-75ced0b3caa0}}	Terraform	Medium	Insecure Configurations	Google Storage Bucket Level Access should be enabled (read more)	Documentation
Google Project Auto Create Network Disabled ^{_{59571246-3f62-4965-a96f-c7d97e269351}}	Terraform	Medium	Insecure Configurations	Verifies if the Google Project Auto Create Network is Disabled (read more)	Documentation
Shielded VM Disabled ^{_{1b44e234-3d73-41a8-9954-0b154135280e}}	Terraform	Medium	Insecure Configurations	Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)	Documentation
COS Node Image Not Used ^{_{8a893e46-e267-485a-8690-51f39951de58}}	Terraform	Medium	Insecure Configurations	The node image should be Container-Optimized OS(COS) (read more)	Documentation
Using Default Service Account ^{_{3cb4af0b-056d-4fb1-8b95-fdc4593625ff}}	Terraform	Medium	Insecure Defaults	Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)	Documentation
GKE Using Default Service Account ^{_{1c8eef02-17b1-4a3e-b01d-dcc3292d2c38}}	Terraform	Medium	Insecure Defaults	Kubernetes Engine Clusters should not be configured to use the default service account (read more)	Documentation
SSH Access Is Not Restricted ^{_{c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0}}	Terraform	Medium	Networking and Firewall	Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)	Documentation
Serial Ports Are Enabled For VM Instances ^{_{97fa667a-d05b-4f16-9071-58b939f34751}}	Terraform	Medium	Networking and Firewall	Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)	Documentation
RDP Access Is Not Restricted ^{_{678fd659-96f2-454a-a2a0-c2571f83a4a3}}	Terraform	Medium	Networking and Firewall	Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)	Documentation
Google Compute Network Using Firewall Rule that Allows All Ports ^{_{22ef1d26-80f8-4a6c-8c15-f35aab3cac78}}	Terraform	Medium	Networking and Firewall	Google Compute Network should not use a firewall rule that allows all ports (read more)	Documentation
Google Compute Network Using Default Firewall Rule ^{_{40abce54-95b1-478c-8e5f-ea0bf0bb0e33}}	Terraform	Medium	Networking and Firewall	Google Compute Network should not use default firewall rule (read more)	Documentation
IP Forwarding Enabled ^{_{f34c0c25-47b4-41eb-9c79-249b4dd47b89}}	Terraform	Medium	Networking and Firewall	Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)	Documentation
Google Compute Subnetwork Logging Disabled ^{_{40430747-442d-450a-a34f-dc57149f4609}}	Terraform	Medium	Observability	This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)	Documentation
Service Account with Improper Privileges ^{_{cefdad16-0dd5-4ac5-8ed2-a37502c78672}}	Terraform	Medium	Resource Management	Service account should not have improper privileges like admin, editor, owner, or write roles (read more)	Documentation
Project-wide SSH Keys Are Enabled In VM Instances ^{_{3e4d5ce6-3280-4027-8010-c26eeea1ec01}}	Terraform	Medium	Secret Management	VM Instance should block project-wide SSH keys (read more)	Documentation
High Google KMS Crypto Key Rotation Period ^{_{d8c57c4e-bf6f-4e32-a2bf-8643532de77b}}	Terraform	Medium	Secret Management	KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)	Documentation
Outdated GKE Version ^{_{128df7ec-f185-48bc-8913-ce756a3ccb85}}	Terraform	Low	Best Practices	Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)	Documentation
User with IAM Role ^{_{704fcc44-a58f-4af5-82e2-93f2a58ef918}}	Terraform	Low	Best Practices	As a best practice, it is better to assign an IAM Role to a group than to a user (read more)	Documentation
Google Compute Subnetwork with Private Google Access Disabled ^{_{ee7b93c1-b3f8-4a3b-9588-146d481814f5}}	Terraform	Low	Networking and Firewall	Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)	Documentation
Google Compute Network Using Firewall Rule that Allows Port Range ^{_{e6f61c37-106b-449f-a5bb-81bfcaceb8b4}}	Terraform	Low	Networking and Firewall	Google Compute Network should not use a firewall rule that allows port range (read more)	Documentation
AKS RBAC Disabled ^{_{b2418936-cd47-4ea2-8346-623c0bdb87bd}}	Crossplane	Medium	Access Control	Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)	Documentation
Redis Cache Allows Non SSL Connections ^{_{6c7cfec3-c686-4ed2-bf58-a1ec054b63fc}}	Crossplane	Medium	Encryption	Redis Cache resource should not allow non-SSL connections. (read more)	Documentation
EFS Without KMS ^{_{bdecd6db-2600-47dd-a10c-72c97cf17ae9}}	Crossplane	High	Encryption	Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)	Documentation
DB Instance Storage Not Encrypted ^{_{e50eb68a-a4af-4048-8bbe-8ec324421469}}	Crossplane	High	Encryption	RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)	Documentation
ELB Using Weak Ciphers ^{_{a507daa5-0795-4380-960b-dd7bb7c56661}}	Crossplane	High	Encryption	ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)	Documentation
EFS Not Encrypted ^{_{72840c35-3876-48be-900d-f21b2f0c2ea1}}	Crossplane	High	Encryption	Elastic File System (EFS) must be encrypted (read more)	Documentation
RDS DB Instance Publicly Accessible ^{_{d9dc6429-5140-498a-8f55-a10daac5f000}}	Crossplane	High	Insecure Configurations	RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)	Documentation
DB Security Group Has Public Interface ^{_{dd667399-8d9d-4a8d-bbb4-e49ab53b2f52}}	Crossplane	High	Insecure Configurations	The CIDR IP should not be a public interface (read more)	Documentation
CloudFront Without Minimum Protocol TLS 1.2 ^{_{255b0fcc-9f82-41fe-9229-01b163e3376b}}	Crossplane	High	Insecure Configurations	CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)	Documentation
SQS With SSE Disabled ^{_{9296f1cc-7a40-45de-bd41-f31745488a0e}}	Crossplane	Medium	Encryption	Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)	Documentation
Neptune Database Cluster Encryption Disabled ^{_{83bf5aca-138a-498e-b9cd-ad5bc5e117b4}}	Crossplane	Medium	Encryption	Neptune database cluster storage should have encryption enabled (read more)	Documentation
CloudFront Logging Disabled ^{_{7b590235-1ff4-421b-b9ff-5227134be9bb}}	Crossplane	Medium	Observability	AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)	Documentation
CloudWatch Without Retention Period Specified ^{_{934613fe-b12c-4e5a-95f5-c1dcdffac1ff}}	Crossplane	Medium	Observability	AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)	Documentation
CloudFront Without WAF ^{_{6d19ce0f-b3d8-4128-ac3d-1064e0f00494}}	Crossplane	Low	Networking and Firewall	All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)	Documentation
DocDB Logging Is Disabled ^{_{e6cd49ba-77ed-417f-9bca-4f5303554308}}	Crossplane	Low	Observability	DocDB logging should be enabled (read more)	Documentation
Cloud Storage Bucket Logging Not Enabled ^{_{6c2d627c-de0f-45fb-b33d-dad9bffbb421}}	Crossplane	High	Observability	Cloud storage bucket should have logging enabled (read more)	Documentation
Google Container Node Pool Auto Repair Disabled ^{_{b4f65d13-a609-4dc1-af7c-63d2e08bffe9}}	Crossplane	Medium	Insecure Configurations	Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)	Documentation
Enum Name Not CamelCase ^{_{daaace5f-c0dc-4835-b526-7a116b7f4b4e}}	GRPC	Low	Best Practices	All Enum Names should follow CamelCase and start with Capital Letter (read more)	Documentation
Run Using apt ^{_{a1bc27c6-7115-48d8-bf9d-5a7e836845ba}}	Buildah	Medium	Supply-Chain	apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)	Documentation
Passwords And Secrets ^{_{a88baa34-e2ad-44ea-ad6f-8cac87bc7c71}}	Common	High	Secret Management	Query to find passwords and secrets in infrastructure code. (read more)	Documentation
Public Storage Account ^{_{35e2f133-a395-40de-a79d-b260d973d1bd}}	Ansible	High	Access Control	Storage Account should not be public to grant the principle of least privileges (read more)	Documentation
Storage Container Is Publicly Accessible ^{_{4d3817db-dd35-4de4-a80d-3867157e7f7f}}	Ansible	High	Access Control	Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)	Documentation
Admin User Enabled For Container Registry ^{_{29f35127-98e6-43af-8ec1-201b79f99604}}	Ansible	High	Access Control	Admin user is enabled for Container Registry (read more)	Documentation
Azure Instance Using Basic Authentication ^{_{e2d834b7-8b25-4935-af53-4a60668dcbe0}}	Ansible	High	Best Practices	Azure Instances should use SSH Key instead of basic authentication (read more)	Documentation
SSL Enforce Disabled ^{_{961ce567-a16d-4d7d-9027-f0ec2628a555}}	Ansible	High	Encryption	Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)	Documentation
Storage Account Not Forcing HTTPS ^{_{2c99a474-2a3c-4c17-8294-53ffa5ed0522}}	Ansible	High	Encryption	Storage Accounts should enforce the use of HTTPS (read more)	Documentation
MySQL SSL Connection Disabled ^{_{2a901825-0f3b-4655-a0fe-e0470e50f8e6}}	Ansible	High	Encryption	Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)	Documentation
Web App Accepting Traffic Other Than HTTPS ^{_{eb8c2560-8bee-4248-9d0d-e80c8641dd91}}	Ansible	High	Insecure Configurations	Web app should only accept HTTPS traffic in Azure Web App Service. (read more)	Documentation
Azure Container Registry With No Locks ^{_{581dae78-307d-45d5-aae4-fe2b0db267a5}}	Ansible	High	Insecure Configurations	Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)	Documentation
AD Admin Not Configured For SQL Server ^{_{b176e927-bbe2-44a6-a9c3-041417137e5f}}	Ansible	High	Insecure Configurations	The Active Directory Administrator is not configured for a SQL server (read more)	Documentation
VM Not Attached To Network ^{_{1e5f5307-3e01-438d-8da6-985307ed25ce}}	Ansible	High	Insecure Configurations	No Network Security Group is attached to the Virtual Machine (read more)	Documentation
Sensitive Port Is Exposed To Entire Network ^{_{0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc}}	Ansible	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)	Documentation
Trusted Microsoft Services Not Enabled ^{_{1bc398a8-d274-47de-a4c8-6ac867b353de}}	Ansible	High	Networking and Firewall	Trusted Microsoft Services should be enabled for Storage Account access (read more)	Documentation
CosmosDB Account IP Range Filter Not Set ^{_{e8c80448-31d8-4755-85fc-6dbab69c2717}}	Ansible	High	Networking and Firewall	The IP range filter should be defined to secure the data stored (read more)	Documentation
SQLServer Ingress From Any IP ^{_{f4e9ff70-0f3b-4c50-a713-26cbe7ec4039}}	Ansible	High	Networking and Firewall	Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)	Documentation
Redis Publicly Accessible ^{_{0632d0db-9190-450a-8bb3-c283bffea445}}	Ansible	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)	Documentation
Redis Entirely Accessible ^{_{0d0c12b9-edce-4510-9065-13f6a758750c}}	Ansible	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from the Internet (read more)	Documentation
Role Definition Allows Custom Role Creation ^{_{5c80db8e-03f5-43a2-b4af-1f3f87018157}}	Ansible	Medium	Access Control	Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)	Documentation
Default Azure Storage Account Network Access Is Too Permissive ^{_{ca4df748-613a-4fbf-9c76-f02cbd580307}}	Ansible	Medium	Access Control	Make sure that your Azure Storage Account access is limited to those who require it. (read more)	Documentation
AKS RBAC Disabled ^{_{149fa56c-4404-4f90-9e25-d34b676d5b39}}	Ansible	Medium	Access Control	Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)	Documentation
Key Vault Soft Delete Is Disabled ^{_{881696a8-68c5-4073-85bc-7c38a3deb854}}	Ansible	Medium	Backup	Make sure Soft Delete is enabled for Key Vault (read more)	Documentation
SQL Server Predictable Admin Account Name ^{_{663062e9-473d-4e87-99bc-6f3684b3df40}}	Ansible	Medium	Best Practices	Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)	Documentation
SQL Server Predictable Active Directory Account Name ^{_{530e8291-2f22-4bab-b7ea-306f1bc2a308}}	Ansible	Medium	Best Practices	Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)	Documentation
Cosmos DB Account Without Tags ^{_{23a4dc83-4959-4d99-8056-8e051a82bc1e}}	Ansible	Medium	Build Process	Cosmos DB Account must have a mapping of tags. (read more)	Documentation
Storage Account Not Using Latest TLS Encryption Version ^{_{c62746cf-92d5-4649-9acf-7d48d086f2ee}}	Ansible	Medium	Encryption	Ensure Storage Account is using the latest version of TLS encryption (read more)	Documentation
Redis Cache Allows Non SSL Connections ^{_{869e7fb4-30f0-4bdb-b360-ad548f337f2f}}	Ansible	Medium	Insecure Configurations	Redis Cache resources should not allow non-SSL connections (read more)	Documentation
Security Group is Not Configured ^{_{da4f2739-174f-4cdd-b9ef-dc3f14b5931f}}	Ansible	Medium	Insecure Configurations	Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)	Documentation
AKS Network Policy Misconfigured ^{_{8c3bedf1-c570-4c3b-b414-d068cd39a00c}}	Ansible	Medium	Insecure Configurations	Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)	Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache ^{_{69f72007-502e-457b-bd2d-5012e31ac049}}	Ansible	Medium	Networking and Firewall	Check if any firewall rule allows too many hosts to access Redis Cache. (read more)	Documentation
Unrestricted SQL Server Access ^{_{3f23c96c-f9f5-488d-9b17-605b8da5842f}}	Ansible	Medium	Networking and Firewall	Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)	Documentation
WAF Is Disabled For Azure Application Gateway ^{_{2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255}}	Ansible	Medium	Networking and Firewall	Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)	Documentation
PostgreSQL Log Disconnections Not Set ^{_{054d07b5-941b-4c28-8eef-18989dc62323}}	Ansible	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)	Documentation
PostgreSQL Server Without Connection Throttling ^{_{a9becca7-892a-4af7-b9e1-44bf20a4cd9a}}	Ansible	Medium	Observability	Ensure that Connection Throttling is set for the PostgreSQL server (read more)	Documentation
PostgreSQL Log Duration Not Set ^{_{729ebb15-8060-40f7-9017-cb72676a5487}}	Ansible	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)	Documentation
Log Retention Is Not Set ^{_{0461b4fd-21ef-4687-929e-484ee4796785}}	Ansible	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)	Documentation
PostgreSQL Log Connections Not Set ^{_{7b47138f-ec0e-47dc-8516-e7728fe3cc17}}	Ansible	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)	Documentation
Small Activity Log Retention Period ^{_{37fafbea-dedb-4e0d-852e-d16ee0589326}}	Ansible	Medium	Observability	Ensure that Activity Log Retention is set 365 days or greater (read more)	Documentation
Monitoring Log Profile Without All Activities ^{_{89f84a1e-75f8-47c5-83b5-bee8e2de4168}}	Ansible	Medium	Observability	Monitoring log profile captures all the activities (Action, Write, Delete) (read more)	Documentation
PostgreSQL Log Checkpoints Disabled ^{_{7ab33ac0-e4a3-418f-a673-50da4e34df21}}	Ansible	Medium	Observability	Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)	Documentation
AKS Monitoring Logging Disabled ^{_{d5e83b32-56dd-4247-8c2e-074f43b38a5e}}	Ansible	Medium	Observability	Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)	Documentation
Privilege Escalation Using Become Plugin ^{_{0e75052f-cc02-41b8-ac39-a78017527e95}}	Ansible	Medium	Access Control	In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)	Documentation
Communication Over HTTP ^{_{2e8d4922-8362-4606-8c14-aa10466a1ce3}}	Ansible	Medium	Insecure Configurations	Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)	Documentation
Insecure Relative Path Resolution ^{_{8d22ae91-6ac1-459f-95be-d37bd373f244}}	Ansible	Low	Best Practices	Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)	Documentation
Logging of Sensitive Data ^{_{59029ddf-e651-412b-ae7b-ff6d403184bc}}	Ansible	Low	Best Practices	To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)	Documentation
Unpinned Package Version ^{_{c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8}}	Ansible	Low	Supply-Chain	Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)	Documentation
Risky File Permissions ^{_{88841d5c-d22d-4b7e-a6a0-89ca50e44b9f}}	Ansible	Info	Supply-Chain	Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)	Documentation
S3 Bucket Allows List Action From All Principals ^{_{d395a950-12ce-4314-a742-ac5a785ab44e}}	Ansible	High	Access Control	S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)	Documentation
S3 Bucket ACL Allows Read to All Users ^{_{a1ef9d2e-4163-40cb-bd92-04f0d602a15d}}	Ansible	High	Access Control	S3 Buckets should not be readable to all users (read more)	Documentation
IAM Policy Grants Full Permissions ^{_{b5ed026d-a772-4f07-97f9-664ba0b116f8}}	Ansible	High	Access Control	IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)	Documentation
ECS Service Admin Role Is Present ^{_{7db727c1-1720-468e-b80e-06697f71e09e}}	Ansible	High	Access Control	ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)	Documentation
S3 Bucket ACL Allows Read to Any Authenticated User ^{_{75480b31-f349-4b9a-861f-bce19588e674}}	Ansible	High	Access Control	S3 Buckets should not be readable to any authenticated user (read more)	Documentation
IAM Policies With Full Privileges ^{_{e401d614-8026-4f4b-9af9-75d1197461ba}}	Ansible	High	Access Control	IAM policies shouldn't allow full administrative privileges (for all resources) (read more)	Documentation
SQS Queue Exposed ^{_{86b0efa7-4901-4edd-a37a-c034bec6645a}}	Ansible	High	Access Control	Checks if the SQS Queue is exposed (read more)	Documentation
S3 Bucket Access to Any Principal ^{_{3ab1f27d-52cc-4943-af1d-43c1939e739a}}	Ansible	High	Access Control	Checks if the S3 bucket is accessible for all users (read more)	Documentation
S3 Bucket Allows Delete Action From All Principals ^{_{6fa44721-ef21-41c6-8665-330d59461163}}	Ansible	High	Access Control	S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)	Documentation
S3 Bucket With All Permissions ^{_{6a6d7e56-c913-4549-b5c5-5221e624d2ec}}	Ansible	High	Access Control	S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)	Documentation
SNS Topic is Publicly Accessible ^{_{905f4741-f965-45c1-98db-f7a00a0e5c73}}	Ansible	High	Access Control	SNS Topic Policy should not allow any principal to access (read more)	Documentation
Authentication Without MFA ^{_{eee107f9-b3d8-45d3-b9c6-43b5a7263ce1}}	Ansible	High	Access Control	Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)	Documentation
S3 Bucket Allows Get Action From All Principals ^{_{53bce6a8-5492-4b1b-81cf-664385f0c4bf}}	Ansible	High	Access Control	S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)	Documentation
S3 Bucket Allows Put Action From All Principals ^{_{a0f1bfe0-741e-473f-b3b2-13e66f856fab}}	Ansible	High	Access Control	S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)	Documentation
User Data Shell Script Is Encoded ^{_{1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89}}	Ansible	High	Encryption	User Data Shell Script must be encoded (read more)	Documentation
IAM Database Auth Not Enabled ^{_{0ed012a4-9199-43d2-b9e4-9bd049a48aa4}}	Ansible	High	Encryption	IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)	Documentation
S3 Bucket SSE Disabled ^{_{309edc5b-5a59-42b4-a357-d4d098311fd4}}	Ansible	High	Encryption	If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)	Documentation
EFS Without KMS ^{_{bd77554e-f138-40c5-91b2-2a09f878608e}}	Ansible	High	Encryption	Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)	Documentation
S3 Bucket Without Server-side-encryption ^{_{594f54e7-f744-45ab-93e4-c6dbaf6cd571}}	Ansible	High	Encryption	AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)	Documentation
CA Certificate Identifier Is Outdated ^{_{5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce}}	Ansible	High	Encryption	The CA certificate Identifier must be 'rds-ca-2019'. (read more)	Documentation
ELB Using Insecure Protocols ^{_{730a5951-2760-407a-b032-dd629b55c23a}}	Ansible	High	Encryption	ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)	Documentation
Redis Not Compliant ^{_{9f34885e-c08f-4d13-a7d1-cf190c5bd268}}	Ansible	High	Encryption	Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)	Documentation
Secure Ciphers Disabled ^{_{218413a0-c716-4b94-9e08-0bb70d854709}}	Ansible	High	Encryption	Check if secure ciphers aren't used in CloudFront (read more)	Documentation
Kinesis Not Encrypted With KMS ^{_{f2ea6481-1d31-4d40-946a-520dc6321dd7}}	Ansible	High	Encryption	AWS Kinesis Streams and metadata should be protected with KMS (read more)	Documentation
DB Instance Storage Not Encrypted ^{_{7dfb316c-a6c2-454d-b8a2-97f147b0c0ff}}	Ansible	High	Encryption	AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)	Documentation
AMI Not Encrypted ^{_{97707503-a22c-4cd7-b7c0-f088fa7cf830}}	Ansible	High	Encryption	AWS AMI Encryption is not enabled (read more)	Documentation
ECS Task Definition Container With Plaintext Password ^{_{7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892}}	Ansible	High	Encryption	It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)	Documentation
User Data Contains Encoded Private Key ^{_{c09f4d3e-27d2-4d46-9453-abbe9687a64e}}	Ansible	High	Encryption	User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)	Documentation
ELB Using Weak Ciphers ^{_{2034fb37-bc23-4ca0-8d95-2b9f15829ab5}}	Ansible	High	Encryption	ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)	Documentation
Launch Configuration Is Not Encrypted ^{_{66477506-6abb-49ed-803d-3fa174cd5f6a}}	Ansible	High	Encryption	Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)	Documentation
Cloudfront Viewer Protocol Policy Allows HTTP ^{_{a6d27cf7-61dc-4bde-ae08-3b353b609f76}}	Ansible	High	Encryption	Checks if the connection between CloudFront and the viewer is encrypted (read more)	Documentation
Redshift Not Encrypted ^{_{6a647814-def5-4b85-88f5-897c19f509cd}}	Ansible	High	Encryption	AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)	Documentation
EFS Not Encrypted ^{_{727c4fd4-d604-4df6-a179-7713d3c85e20}}	Ansible	High	Encryption	Elastic File System (EFS) must be encrypted (read more)	Documentation
Redshift Publicly Accessible ^{_{5c6b727b-1382-4629-8ba9-abd1365e5610}}	Ansible	High	Insecure Configurations	AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)	Documentation
EC2 Group Has Public Interface ^{_{5330b503-3319-44ff-9b1c-00ee873f728a}}	Ansible	High	Insecure Configurations	The CIDR IP should not be a public interface (read more)	Documentation
KMS Key With Full Permissions ^{_{5b9d237a-57d5-4177-be0e-71434b0fef47}}	Ansible	High	Insecure Configurations	The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)	Documentation
S3 Bucket with Unsecured CORS Rule ^{_{3505094c-f77c-4ba0-95da-f83db712f86c}}	Ansible	High	Insecure Configurations	If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)	Documentation
RDS DB Instance Publicly Accessible ^{_{c09e3ca5-f08a-4717-9c87-3919c5e6d209}}	Ansible	High	Insecure Configurations	RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)	Documentation
ECS Task Definition Network Mode Not Recommended ^{_{01aec7c2-3e4d-4274-ae47-2b8fea22fd1f}}	Ansible	High	Insecure Configurations	Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)	Documentation
Batch Job Definition With Privileged Container Properties ^{_{defe5b18-978d-4722-9325-4d1975d3699f}}	Ansible	High	Insecure Configurations	Batch Job Definition should not have Privileged Container Properties (read more)	Documentation
Root Account Has Active Access Keys ^{_{e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40}}	Ansible	High	Insecure Configurations	The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)	Documentation
CloudFront Without Minimum Protocol TLS 1.2 ^{_{d0c13053-d2c8-44a6-95da-d592996e9e67}}	Ansible	High	Insecure Configurations	CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)	Documentation
Vulnerable Default SSL Certificate ^{_{fb8f8929-afeb-4c46-99f0-a6cf410f7df4}}	Ansible	High	Insecure Defaults	CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)	Documentation
HTTP Port Open To Internet ^{_{a14ad534-acbe-4a8e-9404-2f7e1045646e}}	Ansible	High	Networking and Firewall	The HTTP port is open to the internet in a Security Group (read more)	Documentation
Public Port Wide ^{_{71ea648a-d31a-4b5a-a589-5674243f1c33}}	Ansible	High	Networking and Firewall	AWS Security Group should not have public port wide (read more)	Documentation
Security Group With Unrestricted Access To SSH ^{_{57ced4b9-6ba4-487b-8843-b65562b90c77}}	Ansible	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Security Group (read more)	Documentation
DB Security Group With Public Scope ^{_{0956aedf-6a7a-478b-ab56-63e2b19923ad}}	Ansible	High	Networking and Firewall	The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)	Documentation
Route53 Record Undefined ^{_{445dce51-7e53-4e50-80ef-7f94f14169e4}}	Ansible	High	Networking and Firewall	Route53 Record should have a list of records (read more)	Documentation
Unrestricted Security Group Ingress ^{_{83c5fa4c-e098-48fc-84ee-0a537287ddd2}}	Ansible	High	Networking and Firewall	Security groups allow ingress from 0.0.0.0/0 (read more)	Documentation
EC2 Instance Has Public IP ^{_{a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1}}	Ansible	High	Networking and Firewall	EC2 Instance should not have a public IP address. (read more)	Documentation
Elasticsearch with HTTPS disabled ^{_{d6c2d06f-43c1-488a-9ba1-8d75b40fc62d}}	Ansible	High	Networking and Firewall	Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)	Documentation
Unknown Port Exposed To Internet ^{_{722b0f24-5a64-4cca-aa96-cfc26b7e3a5b}}	Ansible	High	Networking and Firewall	AWS Security Group should not have an unknown port exposed to the entire Internet (read more)	Documentation
Default Security Groups With Unrestricted Traffic ^{_{8010e17a-00e9-4635-a692-90d6bcec68bd}}	Ansible	High	Networking and Firewall	Check if default security group does not restrict all inbound and outbound traffic. (read more)	Documentation
Security Group Ingress Not Restricted ^{_{ea6bc7a6-d696-4dcf-a788-17fa03c17c81}}	Ansible	High	Networking and Firewall	AWS Security Group should restrict ingress access (read more)	Documentation
RDS Associated with Public Subnet ^{_{16732649-4ff6-4cd2-8746-e72c13fae4b8}}	Ansible	High	Networking and Firewall	RDS should not run in public subnet (read more)	Documentation
ALB Listening on HTTP ^{_{f81d63d2-c5d7-43a4-a5b5-66717a41c895}}	Ansible	High	Networking and Firewall	AWS Application Load Balancer (alb) should not listen on HTTP (read more)	Documentation
Remote Desktop Port Open To Internet ^{_{eda7301d-1f3e-47cf-8d4e-976debc64341}}	Ansible	High	Networking and Firewall	The Remote Desktop port is open to the internet in a Security Group (read more)	Documentation
DB Security Group Open To Large Scope ^{_{ea0ed1c7-9aef-4464-b7c7-94c762da3640}}	Ansible	High	Networking and Firewall	The IP address in a DB Security Group must not have more than 256 hosts. (read more)	Documentation
CloudTrail Logging Disabled ^{_{d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5}}	Ansible	High	Observability	Checks if logging is enabled for CloudTrail. (read more)	Documentation
CMK Rotation Disabled ^{_{af96d737-0818-4162-8c41-40d969bd65d1}}	Ansible	High	Observability	Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)	Documentation
SQS Policy With Public Access ^{_{d994585f-defb-4b51-b6d2-c70f020ceb10}}	Ansible	Medium	Access Control	Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)	Documentation
S3 Bucket With Public Access ^{_{c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9}}	Ansible	Medium	Access Control	S3 Bucket allows public access (read more)	Documentation
SQS Policy Allows All Actions ^{_{ed9b3beb-92cf-44d9-a9d2-171eeba569d4}}	Ansible	Medium	Access Control	SQS policy allows ALL (*) actions (read more)	Documentation
Public Lambda via API Gateway ^{_{5e92d816-2177-4083-85b4-f61b4f7176d9}}	Ansible	Medium	Access Control	Allowing to run lambda function using public API Gateway (read more)	Documentation
Lambda Permission Principal Is Wildcard ^{_{1d972c56-8ec2-48c1-a578-887adb09c57a}}	Ansible	Medium	Access Control	Lambda Permission Principal should not contain a wildcard. (read more)	Documentation
IAM Access Key Is Exposed ^{_{7f79f858-fbe8-4186-8a2c-dfd0d958a40f}}	Ansible	Medium	Access Control	Check if IAM Access Key is active for some user besides 'root' (read more)	Documentation
IAM Policies Attached To User ^{_{eafe4bc3-1042-4f88-b988-1939e64bf060}}	Ansible	Medium	Access Control	IAM policies should be attached only to groups or roles (read more)	Documentation
API Gateway Without Configured Authorizer ^{_{b16cdb37-ce15-4ab2-8401-d42b05d123fc}}	Ansible	Medium	Access Control	API Gateway REST API should have an API Gateway Authorizer (read more)	Documentation
AMI Shared With Multiple Accounts ^{_{a19b2942-142e-4e2b-93b7-6cf6a6c8d90f}}	Ansible	Medium	Access Control	Limits access to AWS AMIs by checking if more than one account is using the same image (read more)	Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA ^{_{af167837-9636-4086-b815-c239186b9dda}}	Ansible	Medium	Access Control	Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)	Documentation
Certificate Has Expired ^{_{5a443297-19d4-4381-9e5b-24faf947ec22}}	Ansible	Medium	Access Control	Expired SSL/TLS certificates should be removed (read more)	Documentation
ECR Repository Is Publicly Accessible ^{_{fb5a5df7-6d74-4243-ab82-ff779a958bfd}}	Ansible	Medium	Access Control	Amazon ECR image repositories shouldn't have public access (read more)	Documentation
SES Policy With Allowed IAM Actions ^{_{8ed0bfce-f780-46d4-b086-21c3628f09ad}}	Ansible	Medium	Access Control	SES policy should not allow IAM actions to all principals (read more)	Documentation
CMK Is Unusable ^{_{133fee21-37ef-45df-a563-4d07edc169f4}}	Ansible	Medium	Availability	AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)	Documentation
ECS Service Without Running Tasks ^{_{f5c45127-1d28-4b49-a692-0b97da1c3a84}}	Ansible	Medium	Availability	ECS Service should have at least 1 task running (read more)	Documentation
Auto Scaling Group With No Associated ELB ^{_{050f085f-a8db-4072-9010-2cca235cc02f}}	Ansible	Medium	Availability	AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)	Documentation
RDS With Backup Disabled ^{_{e69890e6-fce5-461d-98ad-cb98318dfc96}}	Ansible	Medium	Backup	Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)	Documentation
Stack Retention Disabled ^{_{17d5ba1d-7667-4729-b1a6-b11fde3db7f7}}	Ansible	Medium	Backup	Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)	Documentation
IAM Password Without Lowercase Letter ^{_{8e3063f4-b511-45c3-b030-f3b0c9131951}}	Ansible	Medium	Best Practices	IAM Password should have at least one lowercase letter (read more)	Documentation
IAM Password Without Number ^{_{9cf25d62-0b96-42c8-b66d-998cd6ee5bb8}}	Ansible	Medium	Best Practices	IAM user resource Login Profile Password should have at least one number (read more)	Documentation
IAM Password Without Minimum Length ^{_{8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d}}	Ansible	Medium	Best Practices	IAM password should have the required minimum length (read more)	Documentation
Password Without Reuse Prevention ^{_{6f5f5444-1422-495f-81ef-24cefd61ed2c}}	Ansible	Medium	Best Practices	Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)	Documentation
IAM Password Without Uppercase Letter ^{_{83957b81-39c1-4191-8e12-671d2ce14354}}	Ansible	Medium	Best Practices	IAM password should have at least one uppercase letter (read more)	Documentation
Misconfigured Password Policy Expiration ^{_{3f2cf811-88fa-4eda-be45-7a191a18aba9}}	Ansible	Medium	Best Practices	No password expiration policy (read more)	Documentation
Stack Without Template ^{_{32d31f1f-0f83-4721-b7ec-1e6948c60145}}	Ansible	Medium	Build Process	AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)	Documentation
Config Rule For Encrypted Volumes Disabled ^{_{7674a686-e4b1-4a95-83d4-1fd53c623d84}}	Ansible	Medium	Encryption	Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)	Documentation
Memcached Disabled ^{_{2d55ef88-b616-4890-b822-47f280763e89}}	Ansible	Medium	Encryption	Check if the Memcached is disabled on the ElastiCache (read more)	Documentation
SQS With SSE Disabled ^{_{e1e7b278-2a8b-49bd-a26e-66a7f70b17eb}}	Ansible	Medium	Encryption	Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)	Documentation
EBS Volume Encryption Disabled ^{_{4b6012e7-7176-46e4-8108-e441785eae57}}	Ansible	Medium	Encryption	EBS volumes should be encrypted (read more)	Documentation
CodeBuild Not Encrypted ^{_{a1423864-2fbc-4f46-bfe1-fbbf125c71c9}}	Ansible	Medium	Encryption	CodeBuild Project should be encrypted (read more)	Documentation
API Gateway Without SSL Certificate ^{_{b47b98ab-e481-4a82-8bb1-1ab39fd36e33}}	Ansible	Medium	Insecure Configurations	SSL Client Certificate should be enabled (read more)	Documentation
ECR Image Tag Not Immutable ^{_{60bfbb8a-c72f-467f-a6dd-a46b7d612789}}	Ansible	Medium	Insecure Configurations	ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)	Documentation
Lambda Function Without Tags ^{_{265d9725-2fb8-42a2-bc57-3279c5db82d5}}	Ansible	Medium	Insecure Configurations	AWS Lambda Functions must have associated tags. (read more)	Documentation
Instance With No VPC ^{_{61d1a2d0-4db8-405a-913d-5d2ce49dff6f}}	Ansible	Medium	Insecure Configurations	EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)	Documentation
Certificate RSA Key Bytes Lower Than 256 ^{_{d5ec2080-340a-4259-b885-f833c4ea6a31}}	Ansible	Medium	Insecure Configurations	The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)	Documentation
AWS Password Policy With Unchangeable Passwords ^{_{e28ceb92-d588-4166-aac5-766c8f5b7472}}	Ansible	Medium	Insecure Configurations	Unchangeable passwords in AWS password policy (read more)	Documentation
API Gateway Endpoint Config is Not Private ^{_{559439b2-3e9c-4739-ac46-17e3b24ec215}}	Ansible	Medium	Networking and Firewall	The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)	Documentation
API Gateway without WAF ^{_{f5f38943-664b-4acc-ab11-f292fa10ed0b}}	Ansible	Medium	Networking and Firewall	API Gateway should have WAF (Web Application Firewall) enabled (read more)	Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible ^{_{7af1c447-c014-4f05-bd8b-ebe3a15734ac}}	Ansible	Medium	Networking and Firewall	Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)	Documentation
API Gateway X-Ray Disabled ^{_{2059155b-27fd-441e-b616-6966c468561f}}	Ansible	Medium	Observability	API Gateway should have X-Ray Tracing enabled (read more)	Documentation
API Gateway With CloudWatch Logging Disabled ^{_{72a931c2-12f5-40d1-93cc-47bff2f7aa2a}}	Ansible	Medium	Observability	AWS CloudWatch Logs for APIs is not enabled (read more)	Documentation
S3 Bucket Without Versioning ^{_{9232306a-f839-40aa-b3ef-b352001da9a5}}	Ansible	Medium	Observability	S3 bucket should have versioning enabled (read more)	Documentation
Configuration Aggregator to All Regions Disabled ^{_{a2fdf451-89dd-451e-af92-bf6c0f4bab96}}	Ansible	Medium	Observability	AWS Config Configuration Aggregator All Regions must be set to True (read more)	Documentation
S3 Bucket Logging Disabled ^{_{c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d}}	Ansible	Medium	Observability	Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)	Documentation
CloudFront Logging Disabled ^{_{d31cb911-bf5b-4eb6-9fc3-16780c77c7bd}}	Ansible	Medium	Observability	AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)	Documentation
CloudTrail Multi Region Disabled ^{_{6ad087d7-a509-4b20-b853-9ef6f5ebaa98}}	Ansible	Medium	Observability	CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)	Documentation
CloudWatch Without Retention Period Specified ^{_{e24e18d9-4c2b-4649-b3d0-18c088145e24}}	Ansible	Medium	Observability	AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)	Documentation
Stack Notifications Disabled ^{_{d39761d7-94ab-45b0-ab5e-27c44e381d58}}	Ansible	Medium	Observability	AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)	Documentation
CloudTrail Not Integrated With CloudWatch ^{_{ebb2118a-03bc-4d53-ab43-d8750f5cb8d3}}	Ansible	Medium	Observability	CloudTrail should be integrated with CloudWatch (read more)	Documentation
CloudTrail SNS Topic Name Undefined ^{_{5ba316a9-c466-4ec1-8d5b-bc6107dc9a92}}	Ansible	Medium	Observability	Check if SNS topic name is set for CloudTrail (read more)	Documentation
No Stack Policy ^{_{ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9}}	Ansible	Medium	Resource Management	AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)	Documentation
Hardcoded AWS Access Key ^{_{c2f15af3-66a0-4176-a56e-e4711e502e5c}}	Ansible	Medium	Secret Management	AWS Access Key should not be hardcoded (read more)	Documentation
Hardcoded AWS Access Key In Lambda ^{_{f34508b9-f574-4330-b42d-88c44cced645}}	Ansible	Medium	Secret Management	Lambda access/secret keys should not be hardcoded (read more)	Documentation
IAM Group Without Users ^{_{f509931b-bbb0-443c-bd9b-10e92ecf2193}}	Ansible	Low	Access Control	IAM Group should have at least one user associated (read more)	Documentation
IAM Role Allows All Principals To Assume ^{_{babdedcf-d859-43da-9a7b-6d72e661a8fd}}	Ansible	Low	Access Control	IAM role allows all services or principals to assume it (read more)	Documentation
EC2 Instance Using Default Security Group ^{_{8d03993b-8384-419b-a681-d1f55149397c}}	Ansible	Low	Access Control	EC2 instances should not use default security group(s) (read more)	Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services ^{_{12a7a7ce-39d6-49dd-923d-aeb4564eb66c}}	Ansible	Low	Access Control	IAM Policy should not grant 'AssumeRole' permission across all services. (read more)	Documentation
CDN Configuration Is Missing ^{_{b25398a2-0625-4e61-8e4d-a1bb23905bf6}}	Ansible	Low	Best Practices	Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)	Documentation
Automatic Minor Upgrades Disabled ^{_{857f8808-e96a-4ba8-a9b7-f2d4ec6cad94}}	Ansible	Low	Best Practices	RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)	Documentation
Lambda Permission Misconfigured ^{_{3ddf3417-424d-420d-8275-0724dc426520}}	Ansible	Low	Best Practices	Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)	Documentation
EFS Without Tags ^{_{b8a9852c-9943-4973-b8d5-77dae9352851}}	Ansible	Low	Build Process	Amazon Elastic Filesystem should have filesystem tags associated (read more)	Documentation
CloudTrail Log Files Not Encrypted With KMS ^{_{f5587077-3f57-4370-9b4e-4eb5b1bac85b}}	Ansible	Low	Encryption	Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)	Documentation
EC2 Instance Using Default VPC ^{_{8833f180-96f1-46f4-9147-849aafa56029}}	Ansible	Low	Networking and Firewall	EC2 Instances should not be configured under a default VPC network (read more)	Documentation
Redshift Using Default Port ^{_{e01de151-a7bd-4db4-b49b-3c4775a5e881}}	Ansible	Low	Networking and Firewall	Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)	Documentation
RDS Using Default Port ^{_{2cb674f6-32f9-40be-97f2-62c0dc38f0d5}}	Ansible	Low	Networking and Firewall	RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)	Documentation
ElastiCache Using Default Port ^{_{7cc6c791-5f68-4816-a564-b9b699f9d26e}}	Ansible	Low	Networking and Firewall	ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)	Documentation
CloudFront Without WAF ^{_{22c80725-e390-4055-8d14-a872230f6607}}	Ansible	Low	Networking and Firewall	All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)	Documentation
ElastiCache Without VPC ^{_{5527dcfc-94f9-4bf6-b7d4-1b78850cf41f}}	Ansible	Low	Networking and Firewall	ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)	Documentation
CloudTrail Log File Validation Disabled ^{_{4d8681a2-3d30-4c89-8070-08acd142748e}}	Ansible	Low	Observability	CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)	Documentation
Lambda Functions Without X-Ray Tracing ^{_{71397b34-1d50-4ee1-97cb-c96c34676f74}}	Ansible	Low	Observability	AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)	Documentation
EC2 Not EBS Optimized ^{_{338b6cab-961d-4998-bb49-e5b6a11c9a5c}}	Ansible	Info	Best Practices	It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)	Documentation
Cloud Storage Anonymous or Publicly Accessible ^{_{086031e1-9d4a-4249-acb3-5bfe4c363db2}}	Ansible	High	Access Control	Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)	Documentation
VM With Full Cloud Access ^{_{bc20bbc6-0697-4568-9a73-85af1dd97bdd}}	Ansible	High	Access Control	A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)	Documentation
BigQuery Dataset Is Public ^{_{2263b286-2fe9-4747-a0ae-8b4768a2bbd2}}	Ansible	High	Access Control	BigQuery dataset is anonymously or publicly accessible (read more)	Documentation
SQL DB Instance Backup Disabled ^{_{0c82eae2-aca0-401f-93e4-fb37a0f9e5e8}}	Ansible	High	Backup	Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)	Documentation
DNSSEC Using RSASHA1 ^{_{6cf4c3a7-ceb0-4475-8892-3745b84be24a}}	Ansible	High	Encryption	DNSSEC should not use the RSASHA1 algorithm (read more)	Documentation
SQL DB Instance With SSL Disabled ^{_{d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb}}	Ansible	High	Encryption	Cloud SQL Database Instance should have SLL enabled (read more)	Documentation
PostgreSQL Misconfigured Logging Duration Flag ^{_{aed98a2a-e680-497a-8886-277cea0f4514}}	Ansible	High	Insecure Configurations	PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)	Documentation
MySQL Instance With Local Infile On ^{_{a7b520bb-2509-4fb0-be05-bc38f54c7a4c}}	Ansible	High	Insecure Configurations	MySQL Instance should not have Local Infile On (read more)	Documentation
Cluster Master Authentication Disabled ^{_{9df7f78f-ebe3-432e-ac3b-b67189c15518}}	Ansible	High	Insecure Configurations	Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)	Documentation
Private Cluster Disabled ^{_{3b30e3d6-c99b-4318-b38f-b99db74578b5}}	Ansible	High	Insecure Configurations	Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)	Documentation
Cluster Labels Disabled ^{_{fbe9b2d0-a2b7-47a1-a534-03775f3013f7}}	Ansible	High	Insecure Configurations	Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)	Documentation
Cloud SQL Instance With Cross DB Ownership Chaining On ^{_{9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f}}	Ansible	High	Insecure Configurations	GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)	Documentation
Cloud SQL Instance With Contained Database Authentication On ^{_{6d34aff3-fdd2-460c-8190-756a3b4969e8}}	Ansible	High	Insecure Configurations	SQL Instance should not have Contained Database Authentication On (read more)	Documentation
IP Aliasing Disabled ^{_{ed672a9f-fbf0-44d8-a47d-779501b0db05}}	Ansible	High	Insecure Configurations	Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)	Documentation
GKE Legacy Authorization Enabled ^{_{300a9964-b086-41f7-9378-b6de3ba1c32b}}	Ansible	High	Insecure Configurations	Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)	Documentation
GKE Basic Authentication Enabled ^{_{344bf8ab-9308-462b-a6b2-697432e40ba1}}	Ansible	High	Insecure Configurations	GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)	Documentation
SQL DB Instance Publicly Accessible ^{_{7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b}}	Ansible	High	Insecure Configurations	Cloud SQL instances should not be publicly accessible. (read more)	Documentation
Client Certificate Disabled ^{_{20180133-a0d0-4745-bfe0-94049fbb12a9}}	Ansible	High	Insecure Configurations	Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)	Documentation
Network Policy Disabled ^{_{98e04ca0-34f5-4c74-8fec-d2e611ce2790}}	Ansible	High	Insecure Configurations	Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)	Documentation
Compute Instance Is Publicly Accessible ^{_{829f1c60-2bab-44c6-8a21-5cd9d39a2c82}}	Ansible	High	Networking and Firewall	Compute instances shouldn't be accessible from the Internet. (read more)	Documentation
GKE Master Authorized Networks Disabled ^{_{d43366c5-80b0-45de-bbe8-2338f4ab0a83}}	Ansible	High	Networking and Firewall	Master authorized networks must be enabled in GKE clusters (read more)	Documentation
Stackdriver Logging Disabled ^{_{19c9e2a0-fc33-4264-bba1-e3682661e8f7}}	Ansible	High	Observability	Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)	Documentation
Cloud Storage Bucket Logging Not Enabled ^{_{507df964-ad97-4035-ab14-94a82eabdfdd}}	Ansible	High	Observability	Cloud storage bucket should have logging enabled (read more)	Documentation
PostgreSQL Logging Of Temporary Files Disabled ^{_{d6fae5b6-ada9-46c0-8b36-3108a2a2f77b}}	Ansible	High	Observability	PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)	Documentation
Stackdriver Monitoring Disabled ^{_{20dcd953-a8b8-4892-9026-9afa6d05a525}}	Ansible	High	Observability	Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)	Documentation
PostgreSQL Log Connections Disabled ^{_{d7a5616f-0a3f-4d43-bc2b-29d1a183e317}}	Ansible	High	Observability	PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)	Documentation
Cloud Storage Bucket Versioning Disabled ^{_{7814ddda-e758-4a56-8be3-289a81ded929}}	Ansible	High	Observability	Cloud Storage Bucket should have versioning enabled (read more)	Documentation
Node Auto Upgrade Disabled ^{_{d6e10477-2e19-4bcd-b8a8-19c65b89ccdf}}	Ansible	High	Resource Management	Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)	Documentation
Disk Encryption Disabled ^{_{092bae86-6105-4802-99d2-99cd7e7431f3}}	Ansible	Medium	Encryption	VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)	Documentation
Google Compute SSL Policy Weak Cipher In Use ^{_{b28bcd2f-c309-490e-ab7c-35fc4023eb26}}	Ansible	Medium	Encryption	This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)	Documentation
Google Container Node Pool Auto Repair Disabled ^{_{d58c6f24-3763-4269-9f5b-86b2569a003b}}	Ansible	Medium	Insecure Configurations	Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)	Documentation
Cloud DNS Without DNSSEC ^{_{80b15fb1-6207-40f4-a803-6915ae619a03}}	Ansible	Medium	Insecure Configurations	DNSSEC must be enabled for Cloud DNS (read more)	Documentation
OSLogin Is Disabled In VM Instance ^{_{66dae697-507b-4aef-be18-eec5bd707f33}}	Ansible	Medium	Insecure Configurations	VM instance should have OSLogin enabled (read more)	Documentation
Using Default Service Account ^{_{2775e169-e708-42a9-9305-b58aadd2c4dd}}	Ansible	Medium	Insecure Configurations	Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)	Documentation
Shielded VM Disabled ^{_{18d3a83d-4414-49dc-90ea-f0387b2856cc}}	Ansible	Medium	Insecure Configurations	Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)	Documentation
COS Node Image Not Used ^{_{be41f891-96b1-4b9d-b74f-b922a918c778}}	Ansible	Medium	Insecure Configurations	The node image should be Container-Optimized OS(COS) (read more)	Documentation
GKE Using Default Service Account ^{_{dc126833-125a-40fb-905a-ce5f2afde240}}	Ansible	Medium	Insecure Defaults	Kubernetes Engine Clusters should not be configured to use the default service account (read more)	Documentation
Serial Ports Are Enabled For VM Instances ^{_{c6fc6f29-dc04-46b6-99ba-683c01aff350}}	Ansible	Medium	Networking and Firewall	Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)	Documentation
SSH Access Is Not Restricted ^{_{b2fbf1df-76dd-4d78-a6c0-e538f4a9b016}}	Ansible	Medium	Networking and Firewall	Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)	Documentation
RDP Access Is Not Restricted ^{_{75418eb9-39ec-465f-913c-6f2b6a80dc77}}	Ansible	Medium	Networking and Firewall	Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)	Documentation
Google Compute Network Using Firewall Rule that Allows All Ports ^{_{3602d273-3290-47b2-80fa-720162b1a8af}}	Ansible	Medium	Networking and Firewall	Google Compute Network should not use a firewall rule that allows all ports (read more)	Documentation
Google Compute Network Using Default Firewall Rule ^{_{29b8224a-60e9-4011-8ac2-7916a659841f}}	Ansible	Medium	Networking and Firewall	Google Compute Network should not use default firewall rule (read more)	Documentation
IP Forwarding Enabled ^{_{11bd3554-cd56-4257-8e25-7aaf30cf8f5f}}	Ansible	Medium	Networking and Firewall	Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)	Documentation
PostgreSQL log_checkpoints Flag Not Set To ON ^{_{89afe3f0-4681-4ce3-89ed-896cebd4277c}}	Ansible	Medium	Observability	PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)	Documentation
PostgreSQL Misconfigured Log Messages Flag ^{_{28a757fc-3d8f-424a-90c0-4233363b2711}}	Ansible	Medium	Observability	PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)	Documentation
Project-wide SSH Keys Are Enabled In VM Instances ^{_{099b4411-d11e-4537-a0fc-146b19762a79}}	Ansible	Medium	Secret Management	VM Instance should block project-wide SSH keys (read more)	Documentation
High Google KMS Crypto Key Rotation Period ^{_{f9b7086b-deb8-4034-9330-d7fd38f1b8de}}	Ansible	Medium	Secret Management	KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)	Documentation
Google Compute Subnetwork with Private Google Access Disabled ^{_{6a4080ae-79bd-42f6-a924-8f534c1c018b}}	Ansible	Low	Networking and Firewall	Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)	Documentation
Google Compute Network Using Firewall Rule that Allows Port Range ^{_{7289eebd-a477-4064-8ad4-3c044bd70b00}}	Ansible	Low	Networking and Firewall	Google Compute Network should not use a firewall rule that allows port range (read more)	Documentation
Allow Unsafe Lookups Enabled ^{_{86b97bb4-85c9-462d-8635-cbc057c5c8c5}}	Ansible	High	Insecure Configurations	When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)	Documentation
Privilege Escalation Using Become Plugin ^{_{404908b6-4954-4611-98f0-e8ceacdabcb1}}	Ansible	Medium	Access Control	In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)	Documentation
Communication over HTTP ^{_{d7dc9350-74bc-485b-8c85-fed22d276c43}}	Ansible	Medium	Insecure Configurations	Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)	Documentation
Logging of Sensitive Data ^{_{c6473dae-8477-4119-88b7-b909b435ce7b}}	Ansible	Low	Best Practices	To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)	Documentation
Ansible Tower Exposed To Internet ^{_{1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc}}	Ansible	Medium	Best Practices	Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)	Documentation
BOM - GCP PST ^{_{9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8}}	GoogleDeploymentManager	Trace	Bill Of Materials	A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)	Documentation
BOM - GCP SB ^{_{c7781feb-a955-4f9f-b9cf-0d7c6f54bb59}}	GoogleDeploymentManager	Trace	Bill Of Materials	A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)	Documentation
BOM - GCP PD ^{_{268c65a8-58ad-43e4-9019-1a9bbc56749f}}	GoogleDeploymentManager	Trace	Bill Of Materials	A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)	Documentation
Cloud Storage Anonymous or Publicly Accessible ^{_{63ae3638-a38c-4ff4-b616-6e1f72a31a6a}}	GoogleDeploymentManager	High	Access Control	Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)	Documentation
BigQuery Dataset Is Public ^{_{83103dff-d57f-42a8-bd81-40abab64c1a7}}	GoogleDeploymentManager	High	Access Control	BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)	Documentation
Cloud Storage Bucket Is Publicly Accessible ^{_{77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc}}	GoogleDeploymentManager	High	Access Control	Cloud Storage Bucket is anonymously or publicly accessible (read more)	Documentation
SQL DB Instance Backup Disabled ^{_{a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01}}	GoogleDeploymentManager	High	Backup	Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)	Documentation
DNSSEC Using RSASHA1 ^{_{6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35}}	GoogleDeploymentManager	High	Encryption	DNSSEC should not use the RSASHA1 algorithm (read more)	Documentation
SQL DB Instance With SSL Disabled ^{_{660360d3-9ca7-46d1-b147-3acc4002953f}}	GoogleDeploymentManager	High	Encryption	Cloud SQL Database Instance should have SLL enabled (read more)	Documentation
Not Proper Email Account In Use ^{_{a21b8df3-c840-4b3d-a41a-10fb2afda171}}	GoogleDeploymentManager	High	Insecure Configurations	Gmail accounts are being used instead of corporate credentials (read more)	Documentation
MySQL Instance With Local Infile On ^{_{c759d6f2-4dd3-4160-82d3-89202ef10d87}}	GoogleDeploymentManager	High	Insecure Configurations	MySQL Instance should not have Local Infile On (read more)	Documentation
Cluster Master Authentication Disabled ^{_{7ef7d141-9fbb-4679-a977-fd0883436906}}	GoogleDeploymentManager	High	Insecure Configurations	Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)	Documentation
Private Cluster Disabled ^{_{48c61fbd-09c9-46cc-a521-012e0c325412}}	GoogleDeploymentManager	High	Insecure Configurations	Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)	Documentation
Cluster Labels Disabled ^{_{8810968b-4b15-421d-918b-d91eb4bb8d1d}}	GoogleDeploymentManager	High	Insecure Configurations	Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)	Documentation
IP Aliasing Disabled ^{_{28727987-e398-49b8-aef1-8a3e7789d111}}	GoogleDeploymentManager	High	Insecure Configurations	Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)	Documentation
GKE Legacy Authorization Enabled ^{_{df58d46c-783b-43e0-bdd0-d99164f712ee}}	GoogleDeploymentManager	High	Insecure Configurations	Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)	Documentation
Client Certificate Disabled ^{_{dd690686-2bf9-4012-a821-f61912dd77be}}	GoogleDeploymentManager	High	Insecure Configurations	Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)	Documentation
Network Policy Disabled ^{_{c47f90e8-4a19-43f0-8413-cc434d286c4e}}	GoogleDeploymentManager	High	Insecure Configurations	Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)	Documentation
Compute Instance Is Publicly Accessible ^{_{8212e2d7-e683-49bc-bf78-d6799075c5a7}}	GoogleDeploymentManager	High	Networking and Firewall	Compute instances shouldn't be accessible from the Internet. (read more)	Documentation
GKE Master Authorized Networks Disabled ^{_{62c8cf50-87f0-4295-a974-8184ed78fe02}}	GoogleDeploymentManager	High	Networking and Firewall	Master authorized networks must be enabled in GKE clusters (read more)	Documentation
Stackdriver Logging Disabled ^{_{95601b9a-7fe8-4aee-9b58-d36fd9382dfc}}	GoogleDeploymentManager	High	Observability	Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)	Documentation
Stackdriver Monitoring Disabled ^{_{bbfc97ab-e92a-4a7b-954c-e88cec815011}}	GoogleDeploymentManager	High	Observability	Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)	Documentation
Cloud Storage Bucket Versioning Disabled ^{_{ad0875c1-0b39-4890-9149-173158ba3bba}}	GoogleDeploymentManager	High	Observability	Cloud Storage Bucket should have versioning enabled (read more)	Documentation
Node Auto Upgrade Disabled ^{_{dc5c5fee-6c53-43b0-ab11-4c660e064aaf}}	GoogleDeploymentManager	High	Resource Management	Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)	Documentation
Disk Encryption Disabled ^{_{fc040fb6-4c23-4c0d-b12a-39edac35debb}}	GoogleDeploymentManager	Medium	Encryption	VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)	Documentation
Cloud DNS Without DNSSEC ^{_{313d6deb-3b67-4948-b41d-35b699c2492e}}	GoogleDeploymentManager	Medium	Insecure Configurations	DNSSEC must be enabled for Cloud DNS (read more)	Documentation
OSLogin Is Disabled In VM Instance ^{_{e66e1b71-c810-4b4e-a737-0ab59e7f5e41}}	GoogleDeploymentManager	Medium	Insecure Configurations	VM instance should have OSLogin enabled (read more)	Documentation
Google Storage Bucket Level Access Disabled ^{_{1239f54b-33de-482a-8132-faebe288e6a6}}	GoogleDeploymentManager	Medium	Insecure Configurations	Google Storage Bucket Level Access should be enabled (read more)	Documentation
Shielded VM Disabled ^{_{9038b526-4c19-4928-bca2-c03d503bdb79}}	GoogleDeploymentManager	Medium	Insecure Configurations	Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)	Documentation
COS Node Image Not Used ^{_{dbe058d7-b82e-430b-8426-992b2e4677e7}}	GoogleDeploymentManager	Medium	Insecure Configurations	The node image should be Container-Optimized OS(COS) (read more)	Documentation
SSH Access Is Not Restricted ^{_{dee21308-2a7a-49de-8ff7-c9b87e188575}}	GoogleDeploymentManager	Medium	Networking and Firewall	Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)	Documentation
RDP Access Is Not Restricted ^{_{50cb6c3b-c878-4b88-b50e-d1421bada9e8}}	GoogleDeploymentManager	Medium	Networking and Firewall	Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)	Documentation
IP Forwarding Enabled ^{_{7c98538a-81c6-444b-bf04-e60bc3ceeec0}}	GoogleDeploymentManager	Medium	Networking and Firewall	Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)	Documentation
Bucket Without Versioning ^{_{227c2f58-70c6-4432-8e9a-a89c1a548cf5}}	GoogleDeploymentManager	Medium	Observability	Bucket should have versioning enabled (read more)	Documentation
Project-wide SSH Keys Are Enabled In VM Instances ^{_{6e2b1ec1-1eca-4eb7-9d4d-2882680b4811}}	GoogleDeploymentManager	Medium	Secret Management	VM Instance should block project-wide SSH keys (read more)	Documentation
Storage Account Not Forcing HTTPS ^{_{cb8e4bf0-903d-45c6-a278-9a947d82a27b}}	Pulumi	High	Encryption	Storage Accounts should enforce the use of HTTPS (read more)	Documentation
Redis Cache Allows Non SSL Connections ^{_{49e30ac8-f58e-4222-b488-3dcb90158ec1}}	Pulumi	Medium	Encryption	Redis Cache resource should not allow non-SSL connections. (read more)	Documentation
Amazon DMS Replication Instance Is Publicly Accessible ^{_{bccb296f-362c-4b05-9221-86d1437a1016}}	Pulumi	High	Access Control	Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)	Documentation
RDS DB Instance Publicly Accessible ^{_{647de8aa-5a42-41b5-9faf-22136f117380}}	Pulumi	High	Insecure Configurations	RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)	Documentation
Elasticsearch with HTTPS disabled ^{_{00603add-7f72-448f-a6c0-9e456a7a3f94}}	Pulumi	High	Networking and Firewall	Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)	Documentation
ElastiCache Nodes Not Created Across Multi AZ ^{_{9b18fc19-7fb8-49b1-8452-9c757c70f926}}	Pulumi	Medium	Availability	ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)	Documentation
ElastiCache Redis Cluster Without Backup ^{_{e93bbe63-a631-4c0f-b6ef-700d48441ff2}}	Pulumi	Medium	Backup	ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)	Documentation
IAM Password Without Lowercase Letter ^{_{de92dd34-1b88-43e8-b825-6e02d73c4549}}	Pulumi	Medium	Best Practices	IAM Password should have at least one lowercase letter (read more)	Documentation
IAM Password Without Minimum Length ^{_{9850d621-7485-44f7-8bdd-b3cf426315cf}}	Pulumi	Medium	Best Practices	IAM password should have the required minimum length (read more)	Documentation
DynamoDB Table Not Encrypted ^{_{b6a7e0ae-aed8-4a19-a993-a95760bf8836}}	Pulumi	Medium	Encryption	AWS DynamoDB Tables should have serverSideEncryption enabled (read more)	Documentation
API Gateway Without SSL Certificate ^{_{f27791a5-e2ae-4905-8910-6f995c576d09}}	Pulumi	Medium	Insecure Configurations	SSL Client Certificate should be defined (read more)	Documentation
API Gateway Access Logging Disabled ^{_{bf4b48b9-fc1f-4552-984a-4becdb5bf503}}	Pulumi	Medium	Observability	API Gateway should have Access Log Settings defined (read more)	Documentation
Elasticsearch Logs Disabled ^{_{a1120ee4-a712-42d9-8fb5-22595fed643b}}	Pulumi	Medium	Observability	AWS Elasticsearch should have logs enabled (read more)	Documentation
DocDB Logging Is Disabled ^{_{2ca87964-fe7e-4cdc-899c-427f0f3525f8}}	Pulumi	Low	Observability	DocDB logging should be enabled (read more)	Documentation
DynamoDB Table Point In Time Recovery Disabled ^{_{327b0729-4c5c-4c44-8b5c-e476cd9c7290}}	Pulumi	Info	Best Practices	It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)	Documentation
EC2 Not EBS Optimized ^{_{d991e4ae-42ab-429b-ab43-d5e5fa9ca633}}	Pulumi	Info	Best Practices	It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)	Documentation
EC2 Instance Monitoring Disabled ^{_{daa581ef-731c-4121-832d-cf078f67759d}}	Pulumi	Info	Observability	EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)	Documentation
PSP Set To Privileged ^{_{ee305555-6b1d-4055-94cf-e22131143c34}}	Pulumi	Medium	Insecure Configurations	Do not allow pod to request execution as privileged. (read more)	Documentation
Missing App Armor Config ^{_{95588189-1abd-4df1-9588-b0a5034f9e87}}	Pulumi	Low	Access Control	Containers should be configured with AppArmor for any application to reduce its potential attack (read more)	Documentation
Cloud Storage Bucket Logging Not Enabled ^{_{48f7e44d-d1d1-44c2-b336-9f11b65c4fb0}}	Pulumi	High	Observability	Cloud storage bucket should have logging enabled (read more)	Documentation
Google Compute SSL Policy Weak Cipher In Use ^{_{965e8830-2bec-4b9b-a7f0-24dbc200a68f}}	Pulumi	Medium	Encryption	This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)	Documentation
Global Security Field Is Undefined (v2) ^{_{74703c89-0ea2-49ab-a7db-bf04f19f5a57}}	OpenAPI	High	Access Control	Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions	Documentation
Global Security Field Is Undefined (v3) ^{_{8af270ce-298b-4405-9922-82a10aee7a4f}}	OpenAPI	High	Access Control	Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)	Documentation
Global Security Field Has An Empty Array (v2) ^{_{da31d54b-ad54-41dc-95eb-8b3828629213}}	OpenAPI	High	Access Control	Security object need to have defined rules in its array and rules should be defined on securityScheme	Documentation
Global Security Field Has An Empty Array (v3) ^{_{d674aea4-ba8b-454b-bb97-88a772ea33f0}}	OpenAPI	High	Access Control	Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)	Documentation
Security Field On Operations Has An Empty Array (v2) ^{_{5d29effc-5d68-481f-9721-d74e5919226b}}	OpenAPI	High	Access Control	Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error	Documentation
Security Field On Operations Has An Empty Array (v3) ^{_{663c442d-f918-4f62-b096-0bf5dcbeb655}}	OpenAPI	High	Access Control	Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)	Documentation
Security Field On Operations Has An Empty Object Definition (v2) ^{_{74581e3b-1d55-4323-a139-5959a7b3abc5}}	OpenAPI	High	Access Control	Security object for operations should not be empty object or has any empty object definition	Documentation
Security Field On Operations Has An Empty Object Definition (v3) ^{_{baade968-7467-41e4-bf22-83ca222f5800}}	OpenAPI	High	Access Control	Security object for operations should not be empty object or has any empty object definition (read more)	Documentation
Global security field has an empty object (v2) ^{_{292919fb-7b26-4454-bee9-ce29094768dd}}	OpenAPI	High	Access Control	Global security definition must not have empty objects	Documentation
Global security field has an empty object (v3) ^{_{543e38f4-1eee-479e-8eb0-15257013aa0a}}	OpenAPI	High	Access Control	Global security definition must not have empty objects (read more)	Documentation
No Global And Operation Security Defined (v2) ^{_{586abcee-9653-462d-ad7b-2638a32bd6e6}}	OpenAPI	High	Access Control	All paths should have security scheme, if it is omitted, global security field should be defined	Documentation
No Global And Operation Security Defined (v3) ^{_{96729c6b-7400-4d9e-9807-17f00cdde4d2}}	OpenAPI	High	Access Control	All paths should have security scheme, if it is omitted, global security field should be defined (read more)	Documentation
Cleartext API Key In Operation Security (v2) ^{_{99733b39-6413-4ed8-8acf-dc7cdc9b4e51}}	OpenAPI	High	Access Control	API Keys should not be sent as cleartext over an unencrypted channel	Documentation
Cleartext API Key In Operation Security (v3) ^{_{d90d4e40-44c1-4125-87a0-e072c3e195b5}}	OpenAPI	High	Access Control	API Keys should not be sent as cleartext over an unencrypted channel (read more)	Documentation
Array Items Has No Type (v2) ^{_{8697a1a4-82c6-4603-8ac8-57529756744e}}	OpenAPI	High	Insecure Configurations	Schema/Parameter array items type should be defined	Documentation
Array Items Has No Type (v3) ^{_{be0e0df7-f3d9-42a1-9b6f-d425f94872c4}}	OpenAPI	High	Insecure Configurations	Schema array items type should be defined (read more)	Documentation
Array Without Maximum Number of Items (v2) ^{_{99eb2c95-2040-4104-9e7c-e16f7474d218}}	OpenAPI	High	Insecure Configurations	Array schema/parameter should have the field 'maxItems' set	Documentation
Array Without Maximum Number of Items (v3) ^{_{6998389e-66b2-473d-8d05-c8d71ac4d04d}}	OpenAPI	High	Insecure Configurations	Array schema should have the field 'maxItems' set (read more)	Documentation
API Key Exposed In Global Security (v2) ^{_{533a0d13-6e89-4551-ae33-bce14e5849c1}}	OpenAPI	Medium	Access Control	API Keys should not be transported over network	Documentation
API Key Exposed In Global Security (v3) ^{_{aecee30b-8ea1-4776-a99c-d6d600f0862f}}	OpenAPI	Medium	Access Control	API Keys should not be transported over network (read more)	Documentation
Cleartext API Key In Global Security (v2) ^{_{70d3873e-d537-46e5-ac3b-4e48fbdd29b4}}	OpenAPI	Medium	Access Control	API Keys should not be sent as cleartext over an unencrypted channel	Documentation
Cleartext API Key In Global Security (v3) ^{_{9c238c97-1991-4c0b-9c7d-6c7912e1dc7c}}	OpenAPI	Medium	Access Control	API Keys should not be sent as cleartext over an unencrypted channel (read more)	Documentation
Maximum Length Undefined (v2) ^{_{2ec86e48-ab90-4cb6-a131-0502afd1f442}}	OpenAPI	Medium	Insecure Configurations	String schema/parameter/header should have 'maxLength' defined.	Documentation
Maximum Length Undefined (v3) ^{_{8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85}}	OpenAPI	Medium	Insecure Configurations	String schema should have 'maxLength' defined. (read more)	Documentation
Pattern Undefined (v2) ^{_{afde15cf-9444-4126-8c62-41cd79db1d1d}}	OpenAPI	Medium	Insecure Configurations	String schema/parameter/header should have 'pattern' defined.	Documentation
Pattern Undefined (v3) ^{_{00b78adf-b83f-419c-8ed8-c6018441dd3a}}	OpenAPI	Medium	Insecure Configurations	String schema should have 'pattern' defined. (read more)	Documentation
Schema Object is Empty (v2) ^{_{967575e5-eb44-4c24-aadb-7e33608ed30a}}	OpenAPI	Medium	Insecure Configurations	The Schema Object should not be empty to avoid accepting any JSON values	Documentation
Schema Object is Empty (v3) ^{_{500ce696-d501-41dd-86eb-eceb011a386f}}	OpenAPI	Medium	Insecure Configurations	The Schema Object should not be empty to avoid accepting any JSON values (read more)	Documentation
Numeric Schema Without Minimum (v2) ^{_{efd1dfc8-da91-4909-a3f3-c23abc5ec799}}	OpenAPI	Medium	Insecure Configurations	Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.	Documentation
Numeric Schema Without Minimum (v3) ^{_{181bd815-767e-4e95-a24d-bb3c87328e19}}	OpenAPI	Medium	Insecure Configurations	Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)	Documentation
JSON Object Schema Without Properties (v2) ^{_{3d28f751-bc18-4f83-ace0-216b6086410b}}	OpenAPI	Medium	Insecure Configurations	Schema of the JSON object should have properties defined and 'additionalProperties' set to false.	Documentation
JSON Object Schema Without Properties (v3) ^{_{9d967a2b-9d64-41a6-abea-dfc4960299bd}}	OpenAPI	Medium	Insecure Configurations	Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)	Documentation
Numeric Schema Without Maximum (v2) ^{_{203eee11-15b6-4d47-b888-4c7f534967ee}}	OpenAPI	Medium	Insecure Configurations	Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.	Documentation
Numeric Schema Without Maximum (v3) ^{_{2ea04bef-c769-409e-9179-ee3a50b5c0ac}}	OpenAPI	Medium	Insecure Configurations	Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)	Documentation
Numeric Schema Without Format (v2) ^{_{3ed8fc82-c2bb-49e0-811f-c53923674c49}}	OpenAPI	Medium	Insecure Configurations	Numeric schema (type set to 'integer' or 'number') should have 'format' defined.	Documentation
Numeric Schema Without Format (v3) ^{_{fbf699b5-ef74-4542-9cf1-f6eeac379373}}	OpenAPI	Medium	Insecure Configurations	Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)	Documentation
JSON Object Schema Without Type (v2) ^{_{62d52544-82ef-4b75-8308-cad49d50212b}}	OpenAPI	Medium	Insecure Configurations	Schema of the JSON object should have 'type' defined.	Documentation
JSON Object Schema Without Type (v3) ^{_{e2ffa504-d22a-4c94-b6c5-f661849d2db7}}	OpenAPI	Medium	Insecure Configurations	Schema of the JSON object should have 'type' defined. (read more)	Documentation
String Schema with Broad Pattern (v2) ^{_{e4a019f0-9af3-49c8-bf68-1939a6ff240d}}	OpenAPI	Medium	Insecure Configurations	String schema should restrict the pattern	Documentation
String Schema with Broad Pattern (v3) ^{_{8c81d6c0-716b-49ec-afa5-2d62da4e3f3c}}	OpenAPI	Medium	Insecure Configurations	String schema should restrict the pattern (read more)	Documentation
Success Response Code Undefined for Put Operation (v2) ^{_{965a043f-5f3c-4d0a-be72-d9ce12fdb4d6}}	OpenAPI	Medium	Networking and Firewall	Put should define at least one success response (200, 201, 202 or 204)	Documentation
Success Response Code Undefined for Put Operation (v3) ^{_{60b5f56b-66ff-4e1c-9b62-5753e16825bc}}	OpenAPI	Medium	Networking and Firewall	Put should define at least one success response (200, 201, 202 or 204) (read more)	Documentation
Response on operations that should not have a body has declared content (v2) ^{_{268defd2-2839-4e15-8cbc-de86eb38c231}}	OpenAPI	Medium	Networking and Firewall	If a response is head or its code is 204 or 304, it shouldn't have a schema defined	Documentation
Response on operations that should not have a body has declared content (v3) ^{_{12a7210b-f4b4-47d0-acac-0a819e2a0ca3}}	OpenAPI	Medium	Networking and Firewall	If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)	Documentation
Success Response Code Undefined for Patch Operation (v2) ^{_{f36e87cc-a209-4f37-8571-66833e4aead7}}	OpenAPI	Medium	Networking and Firewall	Patch should define at least one success response (200, 201, 202 or 204)	Documentation
Success Response Code Undefined for Patch Operation (v3) ^{_{1908a8ee-927d-4166-8f18-241152170cc1}}	OpenAPI	Medium	Networking and Firewall	Patch should define at least one success response (200, 201, 202 or 204) (read more)	Documentation
Success Response Code Undefined for Delete Operation (v2) ^{_{ad432855-b7fb-4429-92a3-93b5ce34f0b1}}	OpenAPI	Medium	Networking and Firewall	Delete should define at least one success response (200, 201, 202 or 204)	Documentation
Success Response Code Undefined for Delete Operation (v3) ^{_{3b497874-ae59-46dd-8d72-1868a3b8f150}}	OpenAPI	Medium	Networking and Firewall	Delete should define at least one success response (200, 201, 202 or 204) (read more)	Documentation
Response Code Missing (v2) ^{_{6e96ed39-bf45-4089-99ba-f1fe7cf6966f}}	OpenAPI	Medium	Networking and Firewall	500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.	Documentation
Response Code Missing (v3) ^{_{6c35d2c6-09f2-4e5c-a094-e0e91327071d}}	OpenAPI	Medium	Networking and Firewall	500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)	Documentation
Success Response Code Undefined for Post Operation (v2) ^{_{9fedee41-2e6d-4091-b011-4a16b4c18c70}}	OpenAPI	Medium	Networking and Firewall	Post should define at least one success response (200, 201, 202 or 204)	Documentation
Success Response Code Undefined for Post Operation (v3) ^{_{f368dd2d-9344-4146-a05b-7c6faa1269ad}}	OpenAPI	Medium	Networking and Firewall	Post should define at least one success response (200, 201, 202 or 204) (read more)	Documentation
Response on operations that should have a body has undefined schema (v2) ^{_{31afbcb7-70e0-48bb-a31a-3374f95cf859}}	OpenAPI	Medium	Networking and Firewall	If a response is not head or its code is not 204 or 304, it should have a schema defined	Documentation
Response on operations that should have a body has undefined schema (v3) ^{_{a92be1d5-d762-484a-86d6-8cd0907ba100}}	OpenAPI	Medium	Networking and Firewall	If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)	Documentation
Default Response Undefined On Operations (v2) ^{_{5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f}}	OpenAPI	Medium	Networking and Firewall	Operations responses should have a default response defined	Documentation
Default Response Undefined On Operations (v3) ^{_{86e3702f-c868-44b2-b61d-ea5316c18110}}	OpenAPI	Medium	Networking and Firewall	Operations responses should have a default response defined (read more)	Documentation
Success Response Code Undefined for Get Operation (v2) ^{_{9b633f3b-c94b-4fbb-a65b-1a4e9134fb63}}	OpenAPI	Medium	Networking and Firewall	Get should define at least one success response (200 or 202)	Documentation
Success Response Code Undefined for Get Operation (v3) ^{_{b2f275be-7d64-4064-b418-be6b431363a7}}	OpenAPI	Medium	Networking and Firewall	Get should define at least one success response (200 or 202) (read more)	Documentation
Success Response Code Undefined for Head Operation (v2) ^{_{4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a}}	OpenAPI	Medium	Networking and Firewall	Head should define at least one success response (200 or 202)	Documentation
Success Response Code Undefined for Head Operation (v3) ^{_{3b066059-f411-4554-ac8d-96f32bff90da}}	OpenAPI	Medium	Networking and Firewall	Head should define at least one success response (200 or 202) (read more)	Documentation
API Key Exposed In Operation Security (v2) ^{_{392599e4-a4e2-403d-bc56-3fe05755782d}}	OpenAPI	Low	Access Control	API Keys should not be transported over network	Documentation
API Key Exposed In Operation Security (v3) ^{_{281b8071-6226-4a43-911d-fec246d422c2}}	OpenAPI	Low	Access Control	API Keys should not be transported over network (read more)	Documentation
Invalid Format (v2) ^{_{caf1793e-95dd-4b18-8d90-8f3c0ab5bddf}}	OpenAPI	Low	Insecure Configurations	The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double	Documentation
Invalid Format (v3) ^{_{d929c031-078f-4241-b802-e224656ad890}}	OpenAPI	Low	Insecure Configurations	The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)	Documentation
Required Property With Default Value (v2) ^{_{f7ab6c83-ef89-40e1-8a99-32e2599fb665}}	OpenAPI	Info	Best Practices	Required properties receive value from requests, which makes unnecessary declare a default value	Documentation
Required Property With Default Value (v3) ^{_{013bdb4b-9246-4248-b0c3-7fb0fee42a29}}	OpenAPI	Info	Best Practices	Required properties receive value from requests, which makes unnecessary declare a default value (read more)	Documentation
Object Using Enum With Keyword (v2) ^{_{7f15962a-d862-451c-ac9b-84ec13747aa6}}	OpenAPI	Info	Best Practices	Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords	Documentation
Object Using Enum With Keyword (v3) ^{_{2e9b6612-8f69-42e0-a5b8-ed17739c2f3a}}	OpenAPI	Info	Best Practices	Schema Object properties should not contain 'enum' and schema keywords (read more)	Documentation
Header Parameter Named as 'Content-Type' (v2) ^{_{51978067-3b22-4c29-aaf3-96bf0bc28897}}	OpenAPI	Info	Best Practices	The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.	Documentation
Header Parameter Named as 'Content-Type' (v3) ^{_{72d259ca-9741-48dd-9f62-eb11f2936b37}}	OpenAPI	Info	Best Practices	The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)	Documentation
Header Response Name Is Invalid (v2) ^{_{86733e01-a435-4bd5-a8b0-5108be9dc1e4}}	OpenAPI	Info	Best Practices	The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.	Documentation
Header Response Name Is Invalid (v3) ^{_{d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd}}	OpenAPI	Info	Best Practices	The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)	Documentation
Invalid Contact URL (v2) ^{_{c7000383-16d0-4509-8cd3-585e5ea2e2f2}}	OpenAPI	Info	Best Practices	Contact Object URL should be a valid URL	Documentation
Invalid Contact URL (v3) ^{_{332cf2ad-380d-4b90-b436-46f8e635cf38}}	OpenAPI	Info	Best Practices	Contact Object URL should be a valid URL (read more)	Documentation
Invalid Tag External Documentation URL (v2) ^{_{b4a7d925-738b-4219-99d9-87d6ee262a03}}	OpenAPI	Info	Best Practices	Tag External Documentation URL should be a valid URL	Documentation
Invalid Tag External Documentation URL (v3) ^{_{5aea1d7e-b834-4749-b143-2c7ec3bd5922}}	OpenAPI	Info	Best Practices	Tag External Documentation URL should be a valid URL (read more)	Documentation
Header Parameter Named as 'Accept' (v2) ^{_{3ddd74cc-6582-486c-8b0c-2b48cb38e0a3}}	OpenAPI	Info	Best Practices	The header Parameter should not be named as 'Accept'. If so, it will be ignored.	Documentation
Header Parameter Named as 'Accept' (v3) ^{_{f2702af5-6016-46cb-bbc8-84c766032095}}	OpenAPI	Info	Best Practices	The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)	Documentation
Invalid Global External Documentation URL (v2) ^{_{46d3b74d-9fe9-45bf-9e9e-efb7f701ee28}}	OpenAPI	Info	Best Practices	Global External Documentation URL should be a valid URL	Documentation
Invalid Global External Documentation URL (v3) ^{_{b2d9dbf6-539c-4374-a1fd-210ddf5563a8}}	OpenAPI	Info	Best Practices	Global External Documentation URL should be a valid URL (read more)	Documentation
Example Not Compliant With Schema Type (v2) ^{_{448db771-06ea-4dee-b48c-1689cbfb4b43}}	OpenAPI	Info	Best Practices	Examples values and fields should be compliant with the schema type	Documentation
Example Not Compliant With Schema Type (v3) ^{_{881a6e71-c2a7-4fe2-b9c3-dfcf08895331}}	OpenAPI	Info	Best Practices	Examples values and fields should be compliant with the schema type (read more)	Documentation
Header Parameter Named as 'Authorization' (v2) ^{_{e2e00c97-7171-4fb4-b461-d631df9a711c}}	OpenAPI	Info	Best Practices	The header Parameter should not be named as 'Authorization'. If so, it will be ignored.	Documentation
Header Parameter Named as 'Authorization' (v3) ^{_{8c84f75e-5048-4926-a4cb-33e7b3431300}}	OpenAPI	Info	Best Practices	The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)	Documentation
Operation Without Successful HTTP Status Code (v2) ^{_{a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2}}	OpenAPI	Info	Best Practices	Operation Object should have at least one successful HTTP status code defined	Documentation
Operation Without Successful HTTP Status Code (v3) ^{_{48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd}}	OpenAPI	Info	Best Practices	Operation Object should have at least one successful HTTP status code defined (read more)	Documentation
Path Without Operation (v2) ^{_{609cd557-66b4-41fa-8edd-2abc6c7cfd08}}	OpenAPI	Info	Best Practices	Path object should have at least one operation object defined	Documentation
Path Without Operation (v3) ^{_{84c826c9-1893-4b34-8cdd-db97645b4bf3}}	OpenAPI	Info	Best Practices	Path object should have at least one operation object defined (read more)	Documentation
Invalid Operation External Documentation URL (v2) ^{_{25635c31-ee32-4708-88e5-fced87516f51}}	OpenAPI	Info	Best Practices	Operation External Documentation URL should be a valid URL	Documentation
Invalid Operation External Documentation URL (v3) ^{_{5ea61624-3733-4a3a-8ca4-b96fec9c5aeb}}	OpenAPI	Info	Best Practices	Operation External Documentation URL should be a valid URL (read more)	Documentation
Invalid License URL (v2) ^{_{de2b4910-8484-46d6-a055-dc1e793ee3ff}}	OpenAPI	Info	Best Practices	License Object URL should be a valid URL	Documentation
Invalid License URL (v3) ^{_{9239c289-9e4c-4d92-8be1-9d506057c971}}	OpenAPI	Info	Best Practices	License Object URL should be a valid URL (read more)	Documentation
JSON '$ref' alongside other properties (v2) ^{_{f34c1c68-4773-4df0-a103-6e2ca32e585f}}	OpenAPI	Info	Best Practices	Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key	Documentation
JSON '$ref' alongside other properties (v3) ^{_{96beb800-566f-49a9-a0ea-dbdf4bc80429}}	OpenAPI	Info	Best Practices	Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)	Documentation
Invalid Contact Email (v2) ^{_{d83bebc8-4e5e-4241-b783-cba9fb5a1c9a}}	OpenAPI	Info	Best Practices	Contact Object Email should be a valid email	Documentation
Invalid Contact Email (v3) ^{_{b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7}}	OpenAPI	Info	Best Practices	Contact Object Email should be a valid email (read more)	Documentation
Invalid Schema External Documentation URL (v2) ^{_{f7fa95b7-d819-484c-9a2b-665dd1bba25e}}	OpenAPI	Info	Best Practices	Schema External Documentation URL should be a valid URL	Documentation
Invalid Schema External Documentation URL (v3) ^{_{6952a7e0-6e48-4285-bbc1-27c64e60f888}}	OpenAPI	Info	Best Practices	Schema External Documentation URL should be a valid URL (read more)	Documentation
Non-Array Schema With Items (v2) ^{_{9d47956b-29cd-43b1-9e6e-b39a4d484353}}	OpenAPI	Info	Structure and Semantics	Non-Array Schema should not have 'items' defined	Documentation
Non-Array Schema With Items (v3) ^{_{20cb3159-b219-496b-8dac-54ae3ab2021a}}	OpenAPI	Info	Structure and Semantics	Non-Array Schema should not have 'items' defined (read more)	Documentation
Path Is Ambiguous (v2) ^{_{b2468463-3ac4-4930-890c-f35b2bf4485d}}	OpenAPI	Info	Structure and Semantics	All path should be unique, if has more than one operation, all operations should be part of same Path Object	Documentation
Path Is Ambiguous (v3) ^{_{237402e2-c2f0-46c9-9cf5-286160cf7bfc}}	OpenAPI	Info	Structure and Semantics	All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)	Documentation
Schema Discriminator Not Required (v2) ^{_{be6a3722-af60-438c-b1b9-2a03e2958ab7}}	OpenAPI	Info	Structure and Semantics	The discriminator property in the Schema Object should be a required property	Documentation
Schema Discriminator Not Required (v3) ^{_{b481d46c-9c61-480f-86d9-af07146dc4a4}}	OpenAPI	Info	Structure and Semantics	The discriminator property in the Schema Object should be a required property (read more)	Documentation
Property 'allowEmptyValue' Improperly Defined (v2) ^{_{0bc1477d-0922-478b-ae16-674a7634a1a8}}	OpenAPI	Info	Structure and Semantics	Property 'allowEmptyValue' should be only defined for query parameters and formData parameters	Documentation
Property 'allowEmptyValue' Improperly Defined (v3) ^{_{4bcbcd52-3028-469f-bc14-02c7dbba2df2}}	OpenAPI	Info	Structure and Semantics	Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)	Documentation
OperationId Not Unique (v2) ^{_{21245007-91c4-40e5-964e-40c85d1e5aa6}}	OpenAPI	Info	Structure and Semantics	OperationId should be unique when defined	Documentation
OperationId Not Unique (v3) ^{_{c254adc4-ef25-46e1-8270-b7944adb4198}}	OpenAPI	Info	Structure and Semantics	OperationId should be unique when defined (read more)	Documentation
Paths Object is Empty (v2) ^{_{3e6c7b1c-8a8d-43ab-98b9-65159f44db4a}}	OpenAPI	Info	Structure and Semantics	Paths object may be empty due to ACL constraints, meaning they are not exposed	Documentation
Paths Object is Empty (v3) ^{_{815021c8-a50c-46d9-b192-24f71072c400}}	OpenAPI	Info	Structure and Semantics	Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)	Documentation
Parameters Name In Combination Not Unique (v2) ^{_{ab871897-ec02-4835-9818-702536ee1dda}}	OpenAPI	Info	Structure and Semantics	Parameters properties 'name' and 'in' should have unique combinations	Documentation
Parameters Name In Combination Not Unique (v3) ^{_{f5b2e6af-76f5-496d-8482-8f898c5fdb4a}}	OpenAPI	Info	Structure and Semantics	Parameters properties 'name' and 'in' should have unique combinations (read more)	Documentation
Parameter Objects Headers With Duplicated Name (v2) ^{_{bd2cbef5-62c4-40f1-af07-4b7f9ced6616}}	OpenAPI	Info	Structure and Semantics	Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.	Documentation
Parameter Objects Headers With Duplicated Name (v3) ^{_{05505192-ba2c-4a81-9b25-dcdbcc973746}}	OpenAPI	Info	Structure and Semantics	Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)	Documentation
Responses Object Is Empty (v2) ^{_{6172e7ab-d2b7-45f8-a7db-1603931d8ba3}}	OpenAPI	Info	Structure and Semantics	Responses Object should not be empty	Documentation
Responses Object Is Empty (v3) ^{_{990eaf09-d6f1-4c3c-b174-a517b1de8917}}	OpenAPI	Info	Structure and Semantics	Responses Object should not be empty (read more)	Documentation
Schema Has A Required Property Undefined (v2) ^{_{811762c8-2e99-4f70-88f9-a63875a953b1}}	OpenAPI	Info	Structure and Semantics	Schema Object should not be have a required property that is not defined on properties	Documentation
Schema Has A Required Property Undefined (v3) ^{_{2bd608ae-8a1f-457f-b710-c237883cb313}}	OpenAPI	Info	Structure and Semantics	Schema Object should not be have a required property that is not defined on properties (read more)	Documentation
Default Invalid (v2) ^{_{78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07}}	OpenAPI	Info	Structure and Semantics	The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type	Documentation
Default Invalid (v3) ^{_{a96bbc06-8cde-4295-ad3c-ee343a7f658e}}	OpenAPI	Info	Structure and Semantics	The field 'default' of Schema Object should be consistent with the schema's type (read more)	Documentation
Properties Missing Required Property (v2) ^{_{71beb6ab-8b70-4816-a9ac-a0ff1fb22a62}}	OpenAPI	Info	Structure and Semantics	Schema Object should have all required properties defined	Documentation
Properties Missing Required Property (v3) ^{_{3fb03214-25d4-4bd4-867c-c2d8d708a483}}	OpenAPI	Info	Structure and Semantics	Schema Object should have all required properties defined (read more)	Documentation
Path Parameter With No Corresponding Template Path (v2) ^{_{194ef1f8-360e-4c14-8ed2-e83e2bafa142}}	OpenAPI	Info	Structure and Semantics	The path parameter must have a corresponding template path for a given operation	Documentation
Path Parameter With No Corresponding Template Path (v3) ^{_{69d7aefd-149d-47b8-8d89-1c2181a8067b}}	OpenAPI	Info	Structure and Semantics	The path parameter must have a corresponding template path for a given operation (read more)	Documentation
Type Has Invalid Keyword (v2) ^{_{492c6cbb-f3f8-4807-aa4f-42b8b1c46b59}}	OpenAPI	Info	Structure and Semantics	Schema/Parameter/Header Object define type should not use a keyword of another type	Documentation
Type Has Invalid Keyword (v3) ^{_{a9228976-10cf-4b5f-b902-9e962aad037a}}	OpenAPI	Info	Structure and Semantics	Schema Object define type should not use a keyword of another type (read more)	Documentation
Responses With Wrong HTTP Status Code (v2) ^{_{069a5378-2091-43f0-aa3b-ee8f20996e99}}	OpenAPI	Info	Structure and Semantics	HTTP Responses status code should be in range of [200-599]	Documentation
Responses With Wrong HTTP Status Code (v3) ^{_{d86655c0-92f6-4ffc-b4d5-5b5775804c27}}	OpenAPI	Info	Structure and Semantics	HTTP Responses status code should be in range of [200-599] (read more)	Documentation
Template Path With No Corresponding Path Parameter (v2) ^{_{e7656d8d-7288-4bbe-b07b-22b389be75ce}}	OpenAPI	Info	Structure and Semantics	The template path must have a corresponding path parameter for a given operation	Documentation
Template Path With No Corresponding Path Parameter (v3) ^{_{561710b1-b845-4562-95ce-2397a05ccef4}}	OpenAPI	Info	Structure and Semantics	The template path must have a corresponding path parameter for a given operation (read more)	Documentation
Schema Enum Invalid (v2) ^{_{8fe6d18a-ad4c-4397-8884-e3a9da57f4c9}}	OpenAPI	Info	Structure and Semantics	The field 'enum' of Schema Object should be consistent with the schema's type	Documentation
Schema Enum Invalid (v3) ^{_{03856cb2-e46c-4daf-bfbf-214ec93c882b}}	OpenAPI	Info	Structure and Semantics	The field 'enum' of Schema Object should be consistent with the schema's type (read more)	Documentation
Items Undefined (v2) ^{_{3e4d34d2-36cf-4449-976d-6c256db8fc49}}	OpenAPI	Info	Structure and Semantics	Schema/Parameter items should be defined when the schema/parameter is set to an array.	Documentation
Items Undefined (v3) ^{_{a8e859da-4a43-4e7f-94b8-25d6e3bf8e90}}	OpenAPI	Info	Structure and Semantics	Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)	Documentation
Schema Object Properties With Duplicated Keys (v2) ^{_{ded017bf-fb13-4f8d-868b-84aebcc572ad}}	OpenAPI	Info	Structure and Semantics	Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'	Documentation
Schema Object Properties With Duplicated Keys (v3) ^{_{10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa}}	OpenAPI	Info	Structure and Semantics	Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)	Documentation
Schema Discriminator Property Not String (v2) ^{_{949376f1-f560-4c6d-a016-63424ca931bb}}	OpenAPI	Info	Structure and Semantics	Schema discriminator property should be a string	Documentation
Schema Discriminator Property Not String (v3) ^{_{dadc2f36-1f5a-46c0-8289-75e626583123}}	OpenAPI	Info	Structure and Semantics	Schema discriminator property should be a string (read more)	Documentation
Path Template is Empty (v2) ^{_{c201b7ad-6173-4598-a407-5edb04a1bcd7}}	OpenAPI	Info	Structure and Semantics	All path templates should not be empty	Documentation
Path Template is Empty (v3) ^{_{ae13a37d-943b-47a7-a970-83c8598bcca3}}	OpenAPI	Info	Structure and Semantics	All path templates should not be empty (read more)	Documentation
Path Parameter Not Required (v2) ^{_{ccd0613f-cb77-4684-a892-183bd2674d12}}	OpenAPI	Info	Structure and Semantics	The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.	Documentation
Path Parameter Not Required (v3) ^{_{0de50145-e845-47f4-9a15-23bcf2125710}}	OpenAPI	Info	Structure and Semantics	The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)	Documentation
Property Defining Minimum Greater Than Maximum (v2) ^{_{b5102ea9-6527-4bb7-94fc-9b4076150e55}}	OpenAPI	Info	Structure and Semantics	Property defining minimum has greater value than maximum defined	Documentation
Property Defining Minimum Greater Than Maximum (v3) ^{_{ab2af219-cd08-4233-b5a1-a788aac88b51}}	OpenAPI	Info	Structure and Semantics	Property defining minimum has greater value than maximum defined (read more)	Documentation
Schema Object With Circular Ref (v2) ^{_{cbff2508-85c9-4448-a8b3-770070edf5ca}}	OpenAPI	Info	Structure and Semantics	Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties	Documentation
Schema Object With Circular Ref (v3) ^{_{1a1aea94-745b-40a7-b860-0702ea6ee636}}	OpenAPI	Info	Structure and Semantics	Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)	Documentation
Schema Discriminator Mismatch Defined Properties (v2) ^{_{addc0eab-27f6-4c26-8526-d2ccd3732662}}	OpenAPI	Info	Structure and Semantics	Schema discriminator values should match defined properties.	Documentation
Schema Discriminator Mismatch Defined Properties (v3) ^{_{40d3df21-c170-4dbe-9c02-4289b51f994f}}	OpenAPI	Info	Structure and Semantics	Schema discriminator values should match defined properties. (read more)	Documentation
Security Definitions Undefined or Empty ^{_{e3f026e8-fdb4-4d5a-bcfd-bd94452073fe}}	OpenAPI	High	Access Control	Security Definitions Object should be set and not empty (read more)	Documentation
Security Requirement Not Defined In Security Definition ^{_{a599b0d1-ff89-4cb8-9ece-9951854c06f6}}	OpenAPI	High	Structure and Semantics	All security requirement objects must be defined in 'securityDefinitions' (read more)	Documentation
Non OAuth2 Security Requirement Defining OAuth2 Scopes ^{_{ba239cb9-f342-4c20-812d-7b5a2aa6969e}}	OpenAPI	High	Structure and Semantics	If the security scheme is not of type 'oauth2', the array value must be empty (read more)	Documentation
Global Security Using Password Flow ^{_{2da46be4-4317-4650-9285-56d7103c4f93}}	OpenAPI	Medium	Access Control	Security should not use 'password' Flow in OAuth2 authentication (read more)	Documentation
Invalid OAuth2 Authorization URL (v2) ^{_{33d96c65-977d-4c33-943f-440baca49185}}	OpenAPI	Medium	Access Control	The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)	Documentation
Operation Using Password Flow ^{_{2e44e632-d617-43cb-b294-6bfe72a08938}}	OpenAPI	Medium	Access Control	Operation Object should not use 'password' Flow in OAuth2 authentication (read more)	Documentation
Implicit Flow in OAuth2 (v2) ^{_{e9817ad8-a8c9-4038-8a2f-db0e6e7b284b}}	OpenAPI	Medium	Access Control	There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)	Documentation
Invalid OAuth2 Token URL (v2) ^{_{274f910a-0665-4f08-b66d-7058fe927dba}}	OpenAPI	Medium	Access Control	OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)	Documentation
Security Definitions Allows Password Flow ^{_{773116aa-2e6d-416f-bd85-f0301cc05d76}}	OpenAPI	Medium	Access Control	Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)	Documentation
Path Scheme Accepts HTTP (v2) ^{_{a6847dc6-f4ea-45ac-a81f-93291ae6c573}}	OpenAPI	Medium	Encryption	The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)	Documentation
Schemes Uses HTTP ^{_{a46928f1-43d7-4671-94e0-2dd99746f389}}	OpenAPI	Medium	Encryption	Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)	Documentation
Global Schemes Uses HTTP ^{_{f30ee711-0082-4480-85ab-31d922d9a2b2}}	OpenAPI	Medium	Encryption	Global Schemes should use 'https' protocol instead of 'http' (read more)	Documentation
Operation Object Without 'consumes' ^{_{0c79e50e-b3cf-490c-b8f6-587c644d4d0c}}	OpenAPI	Medium	Insecure Configurations	Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)	Documentation
Operation Object Without 'produces' ^{_{be3e170e-1572-461e-a8b6-d963def581ec}}	OpenAPI	Medium	Insecure Configurations	Operation Object should have 'produces' feild defined for 'GET'operation (read more)	Documentation
Operation Using Basic Auth ^{_{ceefb058-8065-418f-9c4c-584a78c7e104}}	OpenAPI	Low	Access Control	Operation Object should not use basic authentication (read more)	Documentation
Security Definitions Using Basic Auth ^{_{221015a8-aa2a-43f5-b00b-ad7d2b1d47a8}}	OpenAPI	Low	Access Control	Security Definition Object should not use basic authentication (read more)	Documentation
Operation Using Implicit Flow ^{_{f42dfe7e-787d-4478-a75e-a5f3d8a2269e}}	OpenAPI	Low	Access Control	Operation Object should not use implicit flow (read more)	Documentation
Undefined Scope 'securityDefinition' On 'security' Field On Operations ^{_{3847280c-9193-40bc-8009-76168e822ce2}}	OpenAPI	Low	Access Control	Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)	Documentation
Undefined Scope 'securityDefinition' On Global 'security' Field ^{_{9aa6e95c-d964-4239-a3a8-9f37a3c5a31f}}	OpenAPI	Low	Access Control	Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)	Documentation
Operation Summary Too Long ^{_{d47940ca-5970-45cc-bdd1-4d81398cee1f}}	OpenAPI	Low	Best Practices	Operation summary should be short (less than 120 characters) (read more)	Documentation
Global Schema Definition Not Being Used ^{_{6d2e0790-cc3d-4c74-b973-d4e8b09f4455}}	OpenAPI	Info	Best Practices	All global schemas definitions should be in use (read more)	Documentation
Global Responses Definition Not Being Used ^{_{0b76d993-ee52-43e0-8b39-3787d2ddabf1}}	OpenAPI	Info	Best Practices	All global responses definitions should be in use (read more)	Documentation
Global Parameter Definition Not Being Used ^{_{b30981fa-a12e-49c7-a5bb-eeafb61d0f0f}}	OpenAPI	Info	Best Practices	All global parameters definitions should be in use (read more)	Documentation
Schema with 'additionalProperties' set as Boolean ^{_{3a01790c-ebee-4da6-8fd3-e78657383b75}}	OpenAPI	Info	Best Practices	The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)	Documentation
Unknown Prefix (v2) ^{_{3b615f00-c443-4ba9-acc4-7c308716917d}}	OpenAPI	Info	Best Practices	The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)	Documentation
Constraining Enum Property ^{_{be1d8733-3731-40c7-a845-734741c6871d}}	OpenAPI	Info	Best Practices	There is a constraining keyword in a property which is already restricted by enum values (read more)	Documentation
Invalid Media Type Value (v2) ^{_{f985a7d2-d404-4a7f-9814-f645f791e46e}}	OpenAPI	Info	Best Practices	The Media Type value should match the following format: /[+suffix][;parameters] (read more)	Documentation
Multiple Body Parameters In The Same Operation ^{_{b90033cf-ad9f-4fb9-acd1-1b9d6d278c87}}	OpenAPI	Info	Structure and Semantics	Only one body parameter is allowed on operation's parameters type field (read more)	Documentation
Host With Invalid Pattern ^{_{3d7d7b6c-fb0a-475e-8a28-c125e30d15f0}}	OpenAPI	Info	Structure and Semantics	Host field should be an IP or a valid host name (read more)	Documentation
Response Object With Incorrect Ref (v2) ^{_{bccfa089-89e4-47e0-a0e5-185fe6902220}}	OpenAPI	Info	Structure and Semantics	Response Object reference must always point to '#/responses' (read more)	Documentation
Multi 'collectionformat' Not Valid For 'in' Parameter ^{_{750f6448-27c0-49f8-a153-b81735c1e19c}}	OpenAPI	Info	Structure and Semantics	When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)	Documentation
Schema JSON Reference Does Not Exists (v2) ^{_{98295b32-ec09-4b5b-89a9-39853197f914}}	OpenAPI	Info	Structure and Semantics	Schema reference should exists on definitions field (read more)	Documentation
Responses JSON Reference Does Not Exists (v2) ^{_{e9db5fb4-6a84-4abb-b4af-3b94fbdace6d}}	OpenAPI	Info	Structure and Semantics	Responses reference should exist on responses definition field (read more)	Documentation
Parameter Object With Incorrect Ref (v2) ^{_{2596545e-1757-4ff7-a15a-8a9a180a42f3}}	OpenAPI	Info	Structure and Semantics	Parameter Object reference must always point to '#/parameters' (read more)	Documentation
Object Without Required Property (v2) ^{_{5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275}}	OpenAPI	Info	Structure and Semantics	OpenAPI Object should contain all of its required fields (read more)	Documentation
Unknown Property (v2) ^{_{429b2106-ba37-43ba-9727-7f699cc611e1}}	OpenAPI	Info	Structure and Semantics	All properties defined in OpenAPI objects should be known (read more)	Documentation
BasePath With Wrong Format ^{_{b4803607-ed72-4d60-99e2-3fa6edf471c6}}	OpenAPI	Info	Structure and Semantics	The 'basePath' value format must match the pattern '^/' (read more)	Documentation
Body Parameter Without Schema ^{_{ed48229d-d43e-4da7-b453-5f98d964a57a}}	OpenAPI	Info	Structure and Semantics	The Body Parameter Object should have the attribute 'schema' defined (read more)	Documentation
Operation Object Parameters With 'body' And 'formatData' locations ^{_{eb3f9744-d24e-4614-b1ff-2a9514eca21c}}	OpenAPI	Info	Structure and Semantics	Operation object parameters should not have both 'body' and 'formatData' locations (read more)	Documentation
Schema Object Incorrect Ref (v2) ^{_{0220e1c5-65d1-49dd-b7c2-cef6d6cb5283}}	OpenAPI	Info	Structure and Semantics	Schema Object reference must always point to '#/definitions' (read more)	Documentation
File Parameter With Wrong Consumes Property ^{_{7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a}}	OpenAPI	Info	Structure and Semantics	Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)	Documentation
Parameter JSON Reference Does Not Exists (v2) ^{_{fb889ae9-2d16-40b5-b41f-9da716c5abc1}}	OpenAPI	Info	Structure and Semantics	Parameter reference should exist on parameters definition field (read more)	Documentation
Operation Example Mismatch Produces MimeType ^{_{2cf35b40-ded3-43d6-9633-c8dcc8bcc822}}	OpenAPI	Info	Structure and Semantics	Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)	Documentation
Property Not Unique ^{_{750b40be-4bac-4f59-bdc4-1ca0e6c3450e}}	OpenAPI	Info	Structure and Semantics	Every defined property must be unique throughout the whole API (read more)	Documentation
Non Body Parameter Without Schema ^{_{73c3bc54-3cc6-4c0a-b30a-e19f2abfc951}}	OpenAPI	Info	Structure and Semantics	The Body Parameter Object should have the attribute 'schema' defined (read more)	Documentation
Body Parameter With Wrong Property ^{_{c38d630d-a415-4e3e-bac2-65475979ba88}}	OpenAPI	Info	Structure and Semantics	The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)	Documentation
Parameter File Type Not In 'formData' ^{_{c3cab8c4-6c52-47a9-942b-c27f26fbd7d2}}	OpenAPI	Info	Structure and Semantics	The In field of Parameter Object must be 'formData' when type is 'file' (read more)	Documentation
Cleartext Credentials With Basic Authentication For Operation ^{_{86b1fa30-9790-4980-994d-a27e0f6f27c1}}	OpenAPI	High	Access Control	Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)	Documentation
Field 'securityScheme' On Components Is Undefined ^{_{8db5544e-4874-4baa-9322-e9f75a2d219e}}	OpenAPI	High	Access Control	Components' securityScheme field must have a valid scheme (read more)	Documentation
OAuth2 With Implicit Flow ^{_{39cb32f2-3a42-4af0-8037-82a7a9654b6c}}	OpenAPI	Medium	Access Control	OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)	Documentation
Invalid OAuth2 Authorization URL (v3) ^{_{52c0d841-60d6-4a81-88dd-c35fef36d315}}	OpenAPI	Medium	Access Control	The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)	Documentation
Implicit Flow in OAuth2 (v3) ^{_{4a1f3d75-ab73-41b2-83e7-06a93dc3a75a}}	OpenAPI	Medium	Access Control	There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)	Documentation
Security Scheme Using HTTP Basic ^{_{68e5fcac-390c-4939-a373-6074b7be7c71}}	OpenAPI	Medium	Access Control	Security Scheme HTTP should not be using basic authentication (read more)	Documentation
OAuth2 With Password Flow ^{_{3979b0a4-532c-4ea7-86e4-34c090eaa4f2}}	OpenAPI	Medium	Access Control	OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)	Documentation
Security Scheme Using HTTP Digest ^{_{a4247b11-890b-45df-bf42-350a7a3af9be}}	OpenAPI	Medium	Access Control	Security Scheme HTTP should not be using digest authentication (read more)	Documentation
Invalid OAuth2 Token URL (v3) ^{_{3ba0cca1-b815-47bf-ac62-1e584eb64a05}}	OpenAPI	Medium	Access Control	OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)	Documentation
Security Scheme Using HTTP Negotiate ^{_{f525cc92-9050-4c41-a75c-890dc6f64449}}	OpenAPI	Medium	Access Control	Security Scheme HTTP should not be using negotiate authentication (read more)	Documentation
Security Scheme HTTP Unknown Scheme ^{_{06764426-3c56-407e-981f-caa25db1c149}}	OpenAPI	Medium	Access Control	Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)	Documentation
Path Server Object Uses HTTP (v3) ^{_{9670f240-7b4d-4955-bd93-edaa9fa38b58}}	OpenAPI	Medium	Encryption	The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)	Documentation
Global Server Object Uses HTTP ^{_{2d8c175a-6d90-412b-8b0e-e034ea49a1fe}}	OpenAPI	Medium	Encryption	Global server object URL should use 'https' protocol instead of 'http' (read more)	Documentation
Additional Properties Too Permissive ^{_{9f88c88d-824d-4d9a-b985-e22977046042}}	OpenAPI	Medium	Insecure Configurations	Objects should not accept 'additionalProperties' if it is possible (read more)	Documentation
Parameter Object Without Schema ^{_{8fe1846f-52cc-4413-ace9-1933d7d23672}}	OpenAPI	Medium	Insecure Configurations	The Parameter Object should have the attribute 'schema' defined (read more)	Documentation
Media Type Object Without Schema ^{_{f79b9d26-e945-44e7-98a1-b93f0f7a68a0}}	OpenAPI	Medium	Insecure Configurations	The Media Type Object should have the attribute 'schema' defined (read more)	Documentation
Additional Properties Too Restrictive ^{_{a19c3bbd-c056-40d7-9e1c-eeb0634e320d}}	OpenAPI	Medium	Insecure Configurations	Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)	Documentation
Success Response Code Undefined for Trace Operation ^{_{105e20dd-8449-4d71-95c6-d5dac96639af}}	OpenAPI	Medium	Networking and Firewall	Trace should define the '200' successful code (read more)	Documentation
Header Object Without Schema ^{_{50de3b5b-6465-4e06-a9b0-b4c2ba34326b}}	OpenAPI	Medium	Networking and Firewall	The header object should have schema defined (read more)	Documentation
API Key Exposed In Global Security Scheme ^{_{40e1d1bf-11a9-4f63-a3a2-a8b84c602839}}	OpenAPI	Low	Access Control	API Keys should not be transported over network (read more)	Documentation
Global Security Scheme Using Basic Authentication ^{_{77276d82-4f45-4cf1-8e2b-4d345b936228}}	OpenAPI	Low	Access Control	A security scheme is allowing basic authentication credentials to be transported over network (read more)	Documentation
Security Scheme Using Oauth 1.0 ^{_{1bc3205c-0d60-44e6-84f3-44fbf4dac5b3}}	OpenAPI	Low	Access Control	Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)	Documentation
Undefined Scope 'securityScheme' On 'security' Field On Operations ^{_{462d6a1d-fed9-4d75-bb9e-3de902f35e6e}}	OpenAPI	Low	Access Control	Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)	Documentation
Undefined Scope 'securityScheme' On Global 'security' Field ^{_{23a9e2d9-8738-4556-a71c-2802b6ffa022}}	OpenAPI	Low	Access Control	Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)	Documentation
Components Request Body Definition Is Unused ^{_{6b76f589-9713-44ab-97f5-59a3dba1a285}}	OpenAPI	Info	Best Practices	Components request bodies definitions should be referenced or removed from Open API definition (read more)	Documentation
Property 'style' of Encoding Object Ignored ^{_{d3ea644a-9a5c-4fee-941f-f8a6786c0470}}	OpenAPI	Info	Best Practices	Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)	Documentation
Components Header Definition Is Unused ^{_{a68da022-e95a-4bc2-97d3-481e0bd6d446}}	OpenAPI	Info	Best Practices	Components headers definitions should be referenced or removed from Open API definition (read more)	Documentation
Components Link Definition Is Unused ^{_{c19779a9-5774-4d2f-a3a1-a99831730375}}	OpenAPI	Info	Best Practices	Components links definitions should be referenced or removed from Open API definition (read more)	Documentation
Components Callback Definition Is Unused ^{_{d15db953-a553-4b8a-9a14-a3d62ea3d79d}}	OpenAPI	Info	Best Practices	Components callbacks definitions should be referenced or removed from Open API definition (read more)	Documentation
Components Response Definition Is Unused ^{_{9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae}}	OpenAPI	Info	Best Practices	Components responses definitions should be referenced or removed from Open API definition (read more)	Documentation
Unknown Prefix (v3) ^{_{a5375be3-521c-43bb-9eab-e2432e368ee4}}	OpenAPI	Info	Best Practices	The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)	Documentation
Property 'explode' of Encoding Object Ignored ^{_{a4dd69b8-49fa-45d2-a060-c76655405b05}}	OpenAPI	Info	Best Practices	Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)	Documentation
Property 'allowReserved' of Encoding Object Ignored ^{_{4190dda7-af03-4cf0-a128-70ac1661ca09}}	OpenAPI	Info	Best Practices	Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)	Documentation
Components Parameter Definition Is Unused ^{_{698a464e-bb3e-4ba8-ab5e-e6599b7644a0}}	OpenAPI	Info	Best Practices	Components parameters definitions should be referenced or removed from Open API definition (read more)	Documentation
Components Example Definition Is Unused ^{_{b05bb927-2df5-43cc-8d7b-6825c0e71625}}	OpenAPI	Info	Best Practices	Components examples definitions should be referenced or removed from Open API definition (read more)	Documentation
Components Schema Definition Is Unused ^{_{962fa01e-b791-4dcc-b04a-4a3e7389be5e}}	OpenAPI	Info	Best Practices	Components schemas definitions should be referenced or removed from Open API definition (read more)	Documentation
Property 'allowEmptyValue' Ignored ^{_{59c2f769-7cc2-49c8-a3de-4e211135cfab}}	OpenAPI	Info	Best Practices	Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)	Documentation
Invalid Media Type Value (v3) ^{_{cf4a5f45-a27b-49df-843a-9911dbfe71d4}}	OpenAPI	Info	Best Practices	The Media Type value should match the following format: /[+suffix][;parameters] (read more)	Documentation
Encoding Header 'Content-Type' Improperly Defined ^{_{4cd8de87-b595-48b6-ab3c-1904567135ab}}	OpenAPI	Info	Best Practices	Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)	Documentation
Example JSON Reference Outside Components Examples ^{_{bac56e3c-1f71-4a74-8ae6-2fba07efcddb}}	OpenAPI	Info	Structure and Semantics	Reference to examples should point to #/components/examples (read more)	Documentation
Security Operation Field Undefined ^{_{20a482d5-c5d9-4a7a-b7a4-60d0805047b4}}	OpenAPI	Info	Structure and Semantics	Security operation field should be defined in '#/components/securitySchemes' (read more)	Documentation
Server URL Not Absolute ^{_{a0bf7382-5d5a-4224-924c-3db8466026c9}}	OpenAPI	Info	Structure and Semantics	The Server URL should be an absolute URL (read more)	Documentation
Response Object With Incorrect Ref (v3) ^{_{b3871dd8-9333-4d6c-bd52-67eb898b71ab}}	OpenAPI	Info	Structure and Semantics	Response Object reference must always point to '#/components/responses' (read more)	Documentation
Link Object OperationId Does Not Target Operation Object ^{_{c5bb7461-aa57-470b-a714-3bc3d74f4669}}	OpenAPI	Info	Structure and Semantics	Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)	Documentation
Request Body With Incorrect Ref ^{_{0f6cd0ab-c366-4595-84fc-fbd8b9901e4d}}	OpenAPI	Info	Structure and Semantics	Request Body reference must always point to '#/components/RequestBodies' (read more)	Documentation
Encoding Map Key Mismatch Schema Defined Properties ^{_{cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b}}	OpenAPI	Info	Structure and Semantics	Encoding Map Key should be set in schema defined properties (read more)	Documentation
Components Object Fixed Field Key Improperly Named ^{_{151331e2-11f4-4bb6-bd35-9a005e695087}}	OpenAPI	Info	Structure and Semantics	Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)	Documentation
Schema JSON Reference Does Not Exists (v3) ^{_{015eac96-6313-43c0-84e5-81b1374fa637}}	OpenAPI	Info	Structure and Semantics	Schema reference should exists on components field (read more)	Documentation
Server URL Uses Undefined Variables ^{_{8d0921d6-4131-461f-a253-99e873f8f77e}}	OpenAPI	Info	Structure and Semantics	Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)	Documentation
Response JSON Reference Does Not Exists (v3) ^{_{7a01dfbd-da62-4165-aed7-71349ad42ab4}}	OpenAPI	Info	Structure and Semantics	Response reference should exists on components field (read more)	Documentation
Parameter Object With Incorrect Ref (v3) ^{_{d40f27e6-15fb-4b56-90f8-fc0ff0291c51}}	OpenAPI	Info	Structure and Semantics	Parameter Object reference must always point to '#/components/parameters' (read more)	Documentation
Object Without Required Property (v3) ^{_{d172a060-8569-4412-8045-3560ebd477e8}}	OpenAPI	Info	Structure and Semantics	OpenAPI Object should contain all of its required fields (read more)	Documentation
Unknown Property (v3) ^{_{fb7d81e7-4150-48c4-b914-92fc05da6a2f}}	OpenAPI	Info	Structure and Semantics	All properties defined in OpenAPI objects should be known (read more)	Documentation
Parameter Object Content With Multiple Entries ^{_{8bfed1c6-2d59-4924-bc7f-9b9d793ed0df}}	OpenAPI	Info	Structure and Semantics	The map content property of the parameter object should only contain one entry (read more)	Documentation
Link Object Incorrect Ref ^{_{b9db8a10-020c-49ca-88c6-780e5fdb4328}}	OpenAPI	Info	Structure and Semantics	Link object reference must always point to '#/components/links' (read more)	Documentation
Servers Array Undefined ^{_{c66ebeaa-676c-40dc-a3ff-3e49395dcd5e}}	OpenAPI	Info	Structure and Semantics	The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)	Documentation
Property 'allowReserved' Improperly Defined ^{_{7f203940-39c4-4ea7-91ee-7aba16bca9e2}}	OpenAPI	Info	Structure and Semantics	Property 'allowReserved' should be only defined for query parameters (read more)	Documentation
Schema Object Incorrect Ref (v3) ^{_{4cac7ace-b0fb-477d-830d-65395d9109d9}}	OpenAPI	Info	Structure and Semantics	Schema Object reference must always point to '#/components/schemas' (read more)	Documentation
Invalid Content Type For Multiple Files Upload ^{_{26f06397-36d8-4ce7-b993-17711261d777}}	OpenAPI	Info	Structure and Semantics	Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)	Documentation
Link JSON Reference Does Not Exists ^{_{801f0c6a-a834-4467-89c6-ddecffb46b5a}}	OpenAPI	Info	Structure and Semantics	Link reference should exists on components field (read more)	Documentation
Request Body JSON Reference Does Not Exists ^{_{ca02f4e8-d3ae-4832-b7db-bb037516d9e7}}	OpenAPI	Info	Structure and Semantics	Request Body reference should exists on components field (read more)	Documentation
Callback JSON Reference Does Not Exists ^{_{f29904c8-6041-4bca-b043-dfa0546b8079}}	OpenAPI	Info	Structure and Semantics	Callback reference should exists on components field (read more)	Documentation
Callback Object With Incorrect Ref ^{_{ba066cda-e808-450d-92b6-f29109754d45}}	OpenAPI	Info	Structure and Semantics	Callback Object reference must always point to '#/components/callbacks' (read more)	Documentation
Link Object With Both 'operationId' And 'operationRef' ^{_{60fb6621-9f02-473b-9424-ba9a825747d3}}	OpenAPI	Info	Structure and Semantics	Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)	Documentation
Parameter JSON Reference Does Not Exists (v3) ^{_{2e275f16-b627-4d3f-ae73-a6153a23ae8f}}	OpenAPI	Info	Structure and Semantics	Parameter reference should exists on components field (read more)	Documentation
Empty Array ^{_{5915c20f-dffa-4cee-b5d4-f457ddc0151a}}	OpenAPI	Info	Structure and Semantics	All array fields should not be empty (read more)	Documentation
Server Object Variable Not Used ^{_{8aee4754-970d-4c5f-8142-a49dfe388b1a}}	OpenAPI	Info	Structure and Semantics	Every defined Server Variable Object should be used in a Service URL. (read more)	Documentation
Header Object With Incorrect Ref ^{_{2d6646f4-2946-420f-8c14-3232d49ae0cb}}	OpenAPI	Info	Structure and Semantics	Header Object reference must always point to '#/components/headers' (read more)	Documentation
Security Requirement Object With Wrong Scopes ^{_{37140f7f-724a-4c87-a536-e9cee1d61533}}	OpenAPI	Info	Structure and Semantics	Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)	Documentation
Example JSON Reference Does Not Exists ^{_{6a2c219f-da5e-4745-941e-5ea8cde23356}}	OpenAPI	Info	Structure and Semantics	Example reference should exists on components field (read more)	Documentation
Schema With Both ReadOnly And WriteOnly ^{_{d2361d58-361c-49f0-9e50-b957fd608b29}}	OpenAPI	Info	Structure and Semantics	Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)	Documentation
Parameter Object With Undefined Type ^{_{46facedc-f243-4108-ab33-583b807d50b0}}	OpenAPI	Info	Structure and Semantics	A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)	Documentation
Parameter Object With Schema And Content ^{_{31dd6fc0-f274-493b-9614-e063086c19fc}}	OpenAPI	Info	Structure and Semantics	A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)	Documentation
Security Field Undefined ^{_{ab1263c2-81df-46f0-9f2c-0b62fdb68419}}	OpenAPI	Info	Structure and Semantics	Security field should be defined in '#/components/securitySchemes' (read more)	Documentation
Header JSON Reference Does Not Exists ^{_{376c9390-7e9e-4cb8-a067-fd31c05451fd}}	OpenAPI	Info	Structure and Semantics	Header reference should exists on components field (read more)	Documentation
Request Body Object With Incorrect Media Type ^{_{58f06434-a88c-4f74-826c-db7e10cc7def}}	OpenAPI	Info	Structure and Semantics	The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)	Documentation
Script Block Injection ^{_{62ff6823-927a-427f-acf9-f1ea2932d616}}	CICD	High	Insecure Configurations	GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)	Documentation
Run Block Injection ^{_{20f14e1a-a899-4e79-9f09-b6a84cd4649b}}	CICD	High	Insecure Configurations	GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)	Documentation
Unsecured Commands ^{_{60fd272d-15f4-4d8f-afe4-77d9c6cc0453}}	CICD	Medium	Insecure Configurations	There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)	Documentation
Unpinned Actions Full Length Commit SHA ^{_{555ab8f9-2001-455e-a077-f2d0f41e2fb9}}	CICD	Medium	Supply-Chain	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)	Documentation
Serving Revision Spec Without Timeout Seconds ^{_{e8bb41e4-2f24-4e84-8bea-8c7c070cf93d}}	Knative	Info	Insecure Configurations	Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)	Documentation
Serverless Role With Full Privileges ^{_{59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd}}	ServerlessFW	High	Access Control	Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)	Documentation
Serverless Function Environment Variables Not Encrypted ^{_{4495bc5d-4d1e-4a26-ae92-152d18195648}}	ServerlessFW	High	Encryption	Serverless Function should encrypt environment variables (read more)	Documentation
Serverless API Without Content Encoding ^{_{d5d1fe08-89db-440c-8725-b93223387309}}	ServerlessFW	Medium	Encryption	Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)	Documentation
Serverless Function Without Tags ^{_{f99d3482-fa8c-4f79-bad9-35212dded164}}	ServerlessFW	Medium	Insecure Configurations	Serverless Function should be have associated tags (read more)	Documentation
Serverless Function Without Unique IAM Role ^{_{165aae3b-a56a-48f3-b76d-d2b5083f5b8f}}	ServerlessFW	Medium	Insecure Configurations	Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)	Documentation
Serverless API Endpoint Config Not Private ^{_{4d424558-c6d1-453c-be98-9a7f877abd9a}}	ServerlessFW	Medium	Networking and Firewall	Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)	Documentation
Serverless API X-Ray Tracing Disabled ^{_{434945e5-4dfd-41b1-aba1-47075ccd9265}}	ServerlessFW	Medium	Observability	Serverless API Gateway should have X-Ray Tracing enabled (read more)	Documentation
Serverless API Access Logging Setting Undefined ^{_{a4d32883-aac7-42e1-b403-9415af0f3846}}	ServerlessFW	Medium	Observability	Serverless FW API should have HTTP Access Logging enabled (read more)	Documentation
Serverless Function Without Dead Letter Queue ^{_{dec7bc85-d156-4f64-9a33-96ed3d9f3fed}}	ServerlessFW	Low	Insecure Configurations	Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)	Documentation
Serverless Function Without X-Ray Tracing ^{_{0d7ef70f-e176-44e6-bdba-add3e429788d}}	ServerlessFW	Low	Observability	Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)	Documentation