Ansible
Ansible Queries List¶
This page contains all queries from Ansible.
AZURE¶
Bellow are listed queries related with Ansible AZURE:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Public Storage Account 35e2f133-a395-40de-a79d-b260d973d1bd |
High | Access Control | Storage Account should not be public to grant the principle of least privileges (read more) | Documentation |
| Storage Container Is Publicly Accessible 4d3817db-dd35-4de4-a80d-3867157e7f7f |
High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more) | Documentation |
| Admin User Enabled For Container Registry 29f35127-98e6-43af-8ec1-201b79f99604 |
High | Access Control | Admin user is enabled for Container Registry (read more) | Documentation |
| Azure Instance Using Basic Authentication e2d834b7-8b25-4935-af53-4a60668dcbe0 |
High | Best Practices | Azure Instances should use SSH Key instead of basic authentication (read more) | Documentation |
| SSL Enforce Disabled 961ce567-a16d-4d7d-9027-f0ec2628a555 |
High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more) | Documentation |
| Storage Account Not Forcing HTTPS 2c99a474-2a3c-4c17-8294-53ffa5ed0522 |
High | Encryption | Storage Accounts should enforce the use of HTTPS (read more) | Documentation |
| MySQL SSL Connection Disabled 2a901825-0f3b-4655-a0fe-e0470e50f8e6 |
High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more) | Documentation |
| Web App Accepting Traffic Other Than HTTPS eb8c2560-8bee-4248-9d0d-e80c8641dd91 |
High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. (read more) | Documentation |
| Azure Container Registry With No Locks 581dae78-307d-45d5-aae4-fe2b0db267a5 |
High | Insecure Configurations | Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more) | Documentation |
| AD Admin Not Configured For SQL Server b176e927-bbe2-44a6-a9c3-041417137e5f |
High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server (read more) | Documentation |
| VM Not Attached To Network 1e5f5307-3e01-438d-8da6-985307ed25ce |
High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine (read more) | Documentation |
| Sensitive Port Is Exposed To Entire Network 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more) | Documentation |
| Trusted Microsoft Services Not Enabled 1bc398a8-d274-47de-a4c8-6ac867b353de |
High | Networking and Firewall | Trusted Microsoft Services should be enabled for Storage Account access (read more) | Documentation |
| CosmosDB Account IP Range Filter Not Set e8c80448-31d8-4755-85fc-6dbab69c2717 |
High | Networking and Firewall | The IP range filter should be defined to secure the data stored (read more) | Documentation |
| SQLServer Ingress From Any IP f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 |
High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more) | Documentation |
| Redis Publicly Accessible 0632d0db-9190-450a-8bb3-c283bffea445 |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources (read more) | Documentation |
| Redis Entirely Accessible 0d0c12b9-edce-4510-9065-13f6a758750c |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet (read more) | Documentation |
| Role Definition Allows Custom Role Creation 5c80db8e-03f5-43a2-b4af-1f3f87018157 |
Medium | Access Control | Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more) | Documentation |
| Default Azure Storage Account Network Access Is Too Permissive ca4df748-613a-4fbf-9c76-f02cbd580307 |
Medium | Access Control | Make sure that your Azure Storage Account access is limited to those who require it. (read more) | Documentation |
| AKS RBAC Disabled 149fa56c-4404-4f90-9e25-d34b676d5b39 |
Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more) | Documentation |
| Key Vault Soft Delete Is Disabled 881696a8-68c5-4073-85bc-7c38a3deb854 |
Medium | Backup | Make sure Soft Delete is enabled for Key Vault (read more) | Documentation |
| SQL Server Predictable Admin Account Name 663062e9-473d-4e87-99bc-6f3684b3df40 |
Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more) | Documentation |
| SQL Server Predictable Active Directory Account Name 530e8291-2f22-4bab-b7ea-306f1bc2a308 |
Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more) | Documentation |
| Cosmos DB Account Without Tags 23a4dc83-4959-4d99-8056-8e051a82bc1e |
Medium | Build Process | Cosmos DB Account must have a mapping of tags. (read more) | Documentation |
| Storage Account Not Using Latest TLS Encryption Version c62746cf-92d5-4649-9acf-7d48d086f2ee |
Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption (read more) | Documentation |
| Redis Cache Allows Non SSL Connections 869e7fb4-30f0-4bdb-b360-ad548f337f2f |
Medium | Insecure Configurations | Redis Cache resources should not allow non-SSL connections (read more) | Documentation |
| Security Group is Not Configured da4f2739-174f-4cdd-b9ef-dc3f14b5931f |
Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more) | Documentation |
| AKS Network Policy Misconfigured 8c3bedf1-c570-4c3b-b414-d068cd39a00c |
Medium | Insecure Configurations | Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more) | Documentation |
| Firewall Rule Allows Too Many Hosts To Access Redis Cache 69f72007-502e-457b-bd2d-5012e31ac049 |
Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache. (read more) | Documentation |
| Unrestricted SQL Server Access 3f23c96c-f9f5-488d-9b17-605b8da5842f |
Medium | Networking and Firewall | Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more) | Documentation |
| WAF Is Disabled For Azure Application Gateway 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 |
Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more) | Documentation |
| PostgreSQL Log Disconnections Not Set 054d07b5-941b-4c28-8eef-18989dc62323 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more) | Documentation |
| PostgreSQL Server Without Connection Throttling a9becca7-892a-4af7-b9e1-44bf20a4cd9a |
Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server (read more) | Documentation |
| PostgreSQL Log Duration Not Set 729ebb15-8060-40f7-9017-cb72676a5487 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more) | Documentation |
| Log Retention Is Not Set 0461b4fd-21ef-4687-929e-484ee4796785 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more) | Documentation |
| PostgreSQL Log Connections Not Set 7b47138f-ec0e-47dc-8516-e7728fe3cc17 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more) | Documentation |
| Small Activity Log Retention Period 37fafbea-dedb-4e0d-852e-d16ee0589326 |
Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater (read more) | Documentation |
| Monitoring Log Profile Without All Activities 89f84a1e-75f8-47c5-83b5-bee8e2de4168 |
Medium | Observability | Monitoring log profile captures all the activities (Action, Write, Delete) (read more) | Documentation |
| PostgreSQL Log Checkpoints Disabled 7ab33ac0-e4a3-418f-a673-50da4e34df21 |
Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more) | Documentation |
| AKS Monitoring Logging Disabled d5e83b32-56dd-4247-8c2e-074f43b38a5e |
Medium | Observability | Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more) | Documentation |
SHARED (V2/V3)¶
Bellow are listed queries related with Ansible SHARED (V2/V3):
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Privilege Escalation Using Become Plugin 0e75052f-cc02-41b8-ac39-a78017527e95 |
Medium | Access Control | In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more) | Documentation |
| Communication Over HTTP 2e8d4922-8362-4606-8c14-aa10466a1ce3 |
Medium | Insecure Configurations | Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more) | Documentation |
| Insecure Relative Path Resolution 8d22ae91-6ac1-459f-95be-d37bd373f244 |
Low | Best Practices | Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more) | Documentation |
| Logging of Sensitive Data 59029ddf-e651-412b-ae7b-ff6d403184bc |
Low | Best Practices | To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more) | Documentation |
| Unpinned Package Version c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8 |
Low | Supply-Chain | Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more) | Documentation |
| Risky File Permissions 88841d5c-d22d-4b7e-a6a0-89ca50e44b9f |
Info | Supply-Chain | Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more) | Documentation |
AWS¶
Bellow are listed queries related with Ansible AWS:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| S3 Bucket Allows List Action From All Principals d395a950-12ce-4314-a742-ac5a785ab44e |
High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more) | Documentation |
| S3 Bucket ACL Allows Read to All Users a1ef9d2e-4163-40cb-bd92-04f0d602a15d |
High | Access Control | S3 Buckets should not be readable to all users (read more) | Documentation |
| IAM Policy Grants Full Permissions b5ed026d-a772-4f07-97f9-664ba0b116f8 |
High | Access Control | IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more) | Documentation |
| ECS Service Admin Role Is Present 7db727c1-1720-468e-b80e-06697f71e09e |
High | Access Control | ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more) | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 75480b31-f349-4b9a-861f-bce19588e674 |
High | Access Control | S3 Buckets should not be readable to any authenticated user (read more) | Documentation |
| IAM Policies With Full Privileges e401d614-8026-4f4b-9af9-75d1197461ba |
High | Access Control | IAM policies shouldn't allow full administrative privileges (for all resources) (read more) | Documentation |
| SQS Queue Exposed 86b0efa7-4901-4edd-a37a-c034bec6645a |
High | Access Control | Checks if the SQS Queue is exposed (read more) | Documentation |
| S3 Bucket Access to Any Principal 3ab1f27d-52cc-4943-af1d-43c1939e739a |
High | Access Control | Checks if the S3 bucket is accessible for all users (read more) | Documentation |
| S3 Bucket Allows Delete Action From All Principals 6fa44721-ef21-41c6-8665-330d59461163 |
High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more) | Documentation |
| S3 Bucket With All Permissions 6a6d7e56-c913-4549-b5c5-5221e624d2ec |
High | Access Control | S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more) | Documentation |
| SNS Topic is Publicly Accessible 905f4741-f965-45c1-98db-f7a00a0e5c73 |
High | Access Control | SNS Topic Policy should not allow any principal to access (read more) | Documentation |
| Authentication Without MFA eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 |
High | Access Control | Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more) | Documentation |
| S3 Bucket Allows Get Action From All Principals 53bce6a8-5492-4b1b-81cf-664385f0c4bf |
High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more) | Documentation |
| S3 Bucket Allows Put Action From All Principals a0f1bfe0-741e-473f-b3b2-13e66f856fab |
High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more) | Documentation |
| User Data Shell Script Is Encoded 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 |
High | Encryption | User Data Shell Script must be encoded (read more) | Documentation |
| IAM Database Auth Not Enabled 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 |
High | Encryption | IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more) | Documentation |
| S3 Bucket SSE Disabled 309edc5b-5a59-42b4-a357-d4d098311fd4 |
High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more) | Documentation |
| EFS Without KMS bd77554e-f138-40c5-91b2-2a09f878608e |
High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more) | Documentation |
| S3 Bucket Without Server-side-encryption 594f54e7-f744-45ab-93e4-c6dbaf6cd571 |
High | Encryption | AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more) | Documentation |
| CA Certificate Identifier Is Outdated 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce |
High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. (read more) | Documentation |
| ELB Using Insecure Protocols 730a5951-2760-407a-b032-dd629b55c23a |
High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more) | Documentation |
| Redis Not Compliant 9f34885e-c08f-4d13-a7d1-cf190c5bd268 |
High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more) | Documentation |
| Secure Ciphers Disabled 218413a0-c716-4b94-9e08-0bb70d854709 |
High | Encryption | Check if secure ciphers aren't used in CloudFront (read more) | Documentation |
| Kinesis Not Encrypted With KMS f2ea6481-1d31-4d40-946a-520dc6321dd7 |
High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS (read more) | Documentation |
| DB Instance Storage Not Encrypted 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff |
High | Encryption | AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more) | Documentation |
| AMI Not Encrypted 97707503-a22c-4cd7-b7c0-f088fa7cf830 |
High | Encryption | AWS AMI Encryption is not enabled (read more) | Documentation |
| ECS Task Definition Container With Plaintext Password 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 |
High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more) | Documentation |
| User Data Contains Encoded Private Key c09f4d3e-27d2-4d46-9453-abbe9687a64e |
High | Encryption | User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more) | Documentation |
| ELB Using Weak Ciphers 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more) | Documentation |
| Launch Configuration Is Not Encrypted 66477506-6abb-49ed-803d-3fa174cd5f6a |
High | Encryption | Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more) | Documentation |
| Cloudfront Viewer Protocol Policy Allows HTTP a6d27cf7-61dc-4bde-ae08-3b353b609f76 |
High | Encryption | Checks if the connection between CloudFront and the viewer is encrypted (read more) | Documentation |
| Redshift Not Encrypted 6a647814-def5-4b85-88f5-897c19f509cd |
High | Encryption | AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more) | Documentation |
| EFS Not Encrypted 727c4fd4-d604-4df6-a179-7713d3c85e20 |
High | Encryption | Elastic File System (EFS) must be encrypted (read more) | Documentation |
| Redshift Publicly Accessible 5c6b727b-1382-4629-8ba9-abd1365e5610 |
High | Insecure Configurations | AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more) | Documentation |
| EC2 Group Has Public Interface 5330b503-3319-44ff-9b1c-00ee873f728a |
High | Insecure Configurations | The CIDR IP should not be a public interface (read more) | Documentation |
| KMS Key With Full Permissions 5b9d237a-57d5-4177-be0e-71434b0fef47 |
High | Insecure Configurations | The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more) | Documentation |
| S3 Bucket with Unsecured CORS Rule 3505094c-f77c-4ba0-95da-f83db712f86c |
High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more) | Documentation |
| RDS DB Instance Publicly Accessible c09e3ca5-f08a-4717-9c87-3919c5e6d209 |
High | Insecure Configurations | RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more) | Documentation |
| ECS Task Definition Network Mode Not Recommended 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f |
High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more) | Documentation |
| Batch Job Definition With Privileged Container Properties defe5b18-978d-4722-9325-4d1975d3699f |
High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties (read more) | Documentation |
| Root Account Has Active Access Keys e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 |
High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more) | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 d0c13053-d2c8-44a6-95da-d592996e9e67 |
High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 (read more) | Documentation |
| Vulnerable Default SSL Certificate fb8f8929-afeb-4c46-99f0-a6cf410f7df4 |
High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more) | Documentation |
| HTTP Port Open To Internet a14ad534-acbe-4a8e-9404-2f7e1045646e |
High | Networking and Firewall | The HTTP port is open to the internet in a Security Group (read more) | Documentation |
| Public Port Wide 71ea648a-d31a-4b5a-a589-5674243f1c33 |
High | Networking and Firewall | AWS Security Group should not have public port wide (read more) | Documentation |
| Security Group With Unrestricted Access To SSH 57ced4b9-6ba4-487b-8843-b65562b90c77 |
High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Security Group (read more) | Documentation |
| DB Security Group With Public Scope 0956aedf-6a7a-478b-ab56-63e2b19923ad |
High | Networking and Firewall | The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more) | Documentation |
| Route53 Record Undefined 445dce51-7e53-4e50-80ef-7f94f14169e4 |
High | Networking and Firewall | Route53 Record should have a list of records (read more) | Documentation |
| Unrestricted Security Group Ingress 83c5fa4c-e098-48fc-84ee-0a537287ddd2 |
High | Networking and Firewall | Security groups allow ingress from 0.0.0.0/0 (read more) | Documentation |
| EC2 Instance Has Public IP a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 |
High | Networking and Firewall | EC2 Instance should not have a public IP address. (read more) | Documentation |
| Elasticsearch with HTTPS disabled d6c2d06f-43c1-488a-9ba1-8d75b40fc62d |
High | Networking and Firewall | Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more) | Documentation |
| Unknown Port Exposed To Internet 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b |
High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet (read more) | Documentation |
| Default Security Groups With Unrestricted Traffic 8010e17a-00e9-4635-a692-90d6bcec68bd |
High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. (read more) | Documentation |
| Security Group Ingress Not Restricted ea6bc7a6-d696-4dcf-a788-17fa03c17c81 |
High | Networking and Firewall | AWS Security Group should restrict ingress access (read more) | Documentation |
| RDS Associated with Public Subnet 16732649-4ff6-4cd2-8746-e72c13fae4b8 |
High | Networking and Firewall | RDS should not run in public subnet (read more) | Documentation |
| ALB Listening on HTTP f81d63d2-c5d7-43a4-a5b5-66717a41c895 |
High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP (read more) | Documentation |
| Remote Desktop Port Open To Internet eda7301d-1f3e-47cf-8d4e-976debc64341 |
High | Networking and Firewall | The Remote Desktop port is open to the internet in a Security Group (read more) | Documentation |
| DB Security Group Open To Large Scope ea0ed1c7-9aef-4464-b7c7-94c762da3640 |
High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. (read more) | Documentation |
| CloudTrail Logging Disabled d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 |
High | Observability | Checks if logging is enabled for CloudTrail. (read more) | Documentation |
| CMK Rotation Disabled af96d737-0818-4162-8c41-40d969bd65d1 |
High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more) | Documentation |
| SQS Policy With Public Access d994585f-defb-4b51-b6d2-c70f020ceb10 |
Medium | Access Control | Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more) | Documentation |
| S3 Bucket With Public Access c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 |
Medium | Access Control | S3 Bucket allows public access (read more) | Documentation |
| SQS Policy Allows All Actions ed9b3beb-92cf-44d9-a9d2-171eeba569d4 |
Medium | Access Control | SQS policy allows ALL (*) actions (read more) | Documentation |
| Public Lambda via API Gateway 5e92d816-2177-4083-85b4-f61b4f7176d9 |
Medium | Access Control | Allowing to run lambda function using public API Gateway (read more) | Documentation |
| Lambda Permission Principal Is Wildcard 1d972c56-8ec2-48c1-a578-887adb09c57a |
Medium | Access Control | Lambda Permission Principal should not contain a wildcard. (read more) | Documentation |
| IAM Access Key Is Exposed 7f79f858-fbe8-4186-8a2c-dfd0d958a40f |
Medium | Access Control | Check if IAM Access Key is active for some user besides 'root' (read more) | Documentation |
| IAM Policies Attached To User eafe4bc3-1042-4f88-b988-1939e64bf060 |
Medium | Access Control | IAM policies should be attached only to groups or roles (read more) | Documentation |
| API Gateway Without Configured Authorizer b16cdb37-ce15-4ab2-8401-d42b05d123fc |
Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer (read more) | Documentation |
| AMI Shared With Multiple Accounts a19b2942-142e-4e2b-93b7-6cf6a6c8d90f |
Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image (read more) | Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA af167837-9636-4086-b815-c239186b9dda |
Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more) | Documentation |
| Certificate Has Expired 5a443297-19d4-4381-9e5b-24faf947ec22 |
Medium | Access Control | Expired SSL/TLS certificates should be removed (read more) | Documentation |
| ECR Repository Is Publicly Accessible fb5a5df7-6d74-4243-ab82-ff779a958bfd |
Medium | Access Control | Amazon ECR image repositories shouldn't have public access (read more) | Documentation |
| SES Policy With Allowed IAM Actions 8ed0bfce-f780-46d4-b086-21c3628f09ad |
Medium | Access Control | SES policy should not allow IAM actions to all principals (read more) | Documentation |
| CMK Is Unusable 133fee21-37ef-45df-a563-4d07edc169f4 |
Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more) | Documentation |
| ECS Service Without Running Tasks f5c45127-1d28-4b49-a692-0b97da1c3a84 |
Medium | Availability | ECS Service should have at least 1 task running (read more) | Documentation |
| Auto Scaling Group With No Associated ELB 050f085f-a8db-4072-9010-2cca235cc02f |
Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more) | Documentation |
| RDS With Backup Disabled e69890e6-fce5-461d-98ad-cb98318dfc96 |
Medium | Backup | Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more) | Documentation |
| Stack Retention Disabled 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 |
Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more) | Documentation |
| IAM Password Without Lowercase Letter 8e3063f4-b511-45c3-b030-f3b0c9131951 |
Medium | Best Practices | IAM Password should have at least one lowercase letter (read more) | Documentation |
| IAM Password Without Number 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 |
Medium | Best Practices | IAM user resource Login Profile Password should have at least one number (read more) | Documentation |
| IAM Password Without Minimum Length 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d |
Medium | Best Practices | IAM password should have the required minimum length (read more) | Documentation |
| Password Without Reuse Prevention 6f5f5444-1422-495f-81ef-24cefd61ed2c |
Medium | Best Practices | Password policy password_reuse_prevention doesn't exist or is equal to 0 (read more) |
Documentation |
| IAM Password Without Uppercase Letter 83957b81-39c1-4191-8e12-671d2ce14354 |
Medium | Best Practices | IAM password should have at least one uppercase letter (read more) | Documentation |
| Misconfigured Password Policy Expiration 3f2cf811-88fa-4eda-be45-7a191a18aba9 |
Medium | Best Practices | No password expiration policy (read more) | Documentation |
| Stack Without Template 32d31f1f-0f83-4721-b7ec-1e6948c60145 |
Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more) | Documentation |
| Config Rule For Encrypted Volumes Disabled 7674a686-e4b1-4a95-83d4-1fd53c623d84 |
Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. (read more) | Documentation |
| Memcached Disabled 2d55ef88-b616-4890-b822-47f280763e89 |
Medium | Encryption | Check if the Memcached is disabled on the ElastiCache (read more) | Documentation |
| SQS With SSE Disabled e1e7b278-2a8b-49bd-a26e-66a7f70b17eb |
Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more) | Documentation |
| EBS Volume Encryption Disabled 4b6012e7-7176-46e4-8108-e441785eae57 |
Medium | Encryption | EBS volumes should be encrypted (read more) | Documentation |
| CodeBuild Not Encrypted a1423864-2fbc-4f46-bfe1-fbbf125c71c9 |
Medium | Encryption | CodeBuild Project should be encrypted (read more) | Documentation |
| API Gateway Without SSL Certificate b47b98ab-e481-4a82-8bb1-1ab39fd36e33 |
Medium | Insecure Configurations | SSL Client Certificate should be enabled (read more) | Documentation |
| ECR Image Tag Not Immutable 60bfbb8a-c72f-467f-a6dd-a46b7d612789 |
Medium | Insecure Configurations | ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more) | Documentation |
| Lambda Function Without Tags 265d9725-2fb8-42a2-bc57-3279c5db82d5 |
Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. (read more) | Documentation |
| Instance With No VPC 61d1a2d0-4db8-405a-913d-5d2ce49dff6f |
Medium | Insecure Configurations | EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more) | Documentation |
| Certificate RSA Key Bytes Lower Than 256 d5ec2080-340a-4259-b885-f833c4ea6a31 |
Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more) | Documentation |
| AWS Password Policy With Unchangeable Passwords e28ceb92-d588-4166-aac5-766c8f5b7472 |
Medium | Insecure Configurations | Unchangeable passwords in AWS password policy (read more) | Documentation |
| API Gateway Endpoint Config is Not Private 559439b2-3e9c-4739-ac46-17e3b24ec215 |
Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more) | Documentation |
| API Gateway without WAF f5f38943-664b-4acc-ab11-f292fa10ed0b |
Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled (read more) | Documentation |
| SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 7af1c447-c014-4f05-bd8b-ebe3a15734ac |
Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more) | Documentation |
| API Gateway X-Ray Disabled 2059155b-27fd-441e-b616-6966c468561f |
Medium | Observability | API Gateway should have X-Ray Tracing enabled (read more) | Documentation |
| API Gateway With CloudWatch Logging Disabled 72a931c2-12f5-40d1-93cc-47bff2f7aa2a |
Medium | Observability | AWS CloudWatch Logs for APIs is not enabled (read more) | Documentation |
| S3 Bucket Without Versioning 9232306a-f839-40aa-b3ef-b352001da9a5 |
Medium | Observability | S3 bucket should have versioning enabled (read more) | Documentation |
| Configuration Aggregator to All Regions Disabled a2fdf451-89dd-451e-af92-bf6c0f4bab96 |
Medium | Observability | AWS Config Configuration Aggregator All Regions must be set to True (read more) | Documentation |
| S3 Bucket Logging Disabled c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d |
Medium | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more) | Documentation |
| CloudFront Logging Disabled d31cb911-bf5b-4eb6-9fc3-16780c77c7bd |
Medium | Observability | AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more) | Documentation |
| CloudTrail Multi Region Disabled 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 |
Medium | Observability | CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more) | Documentation |
| CloudWatch Without Retention Period Specified e24e18d9-4c2b-4649-b3d0-18c088145e24 |
Medium | Observability | AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more) | Documentation |
| Stack Notifications Disabled d39761d7-94ab-45b0-ab5e-27c44e381d58 |
Medium | Observability | AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more) | Documentation |
| CloudTrail Not Integrated With CloudWatch ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 |
Medium | Observability | CloudTrail should be integrated with CloudWatch (read more) | Documentation |
| CloudTrail SNS Topic Name Undefined 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 |
Medium | Observability | Check if SNS topic name is set for CloudTrail (read more) | Documentation |
| No Stack Policy ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 |
Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more) | Documentation |
| Hardcoded AWS Access Key c2f15af3-66a0-4176-a56e-e4711e502e5c |
Medium | Secret Management | AWS Access Key should not be hardcoded (read more) | Documentation |
| Hardcoded AWS Access Key In Lambda f34508b9-f574-4330-b42d-88c44cced645 |
Medium | Secret Management | Lambda access/secret keys should not be hardcoded (read more) | Documentation |
| IAM Group Without Users f509931b-bbb0-443c-bd9b-10e92ecf2193 |
Low | Access Control | IAM Group should have at least one user associated (read more) | Documentation |
| IAM Role Allows All Principals To Assume babdedcf-d859-43da-9a7b-6d72e661a8fd |
Low | Access Control | IAM role allows all services or principals to assume it (read more) | Documentation |
| EC2 Instance Using Default Security Group 8d03993b-8384-419b-a681-d1f55149397c |
Low | Access Control | EC2 instances should not use default security group(s) (read more) | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services 12a7a7ce-39d6-49dd-923d-aeb4564eb66c |
Low | Access Control | IAM Policy should not grant 'AssumeRole' permission across all services. (read more) | Documentation |
| CDN Configuration Is Missing b25398a2-0625-4e61-8e4d-a1bb23905bf6 |
Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more) | Documentation |
| Automatic Minor Upgrades Disabled 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 |
Low | Best Practices | RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more) | Documentation |
| Lambda Permission Misconfigured 3ddf3417-424d-420d-8275-0724dc426520 |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more) | Documentation |
| EFS Without Tags b8a9852c-9943-4973-b8d5-77dae9352851 |
Low | Build Process | Amazon Elastic Filesystem should have filesystem tags associated (read more) | Documentation |
| CloudTrail Log Files Not Encrypted With KMS f5587077-3f57-4370-9b4e-4eb5b1bac85b |
Low | Encryption | Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more) | Documentation |
| EC2 Instance Using Default VPC 8833f180-96f1-46f4-9147-849aafa56029 |
Low | Networking and Firewall | EC2 Instances should not be configured under a default VPC network (read more) | Documentation |
| Redshift Using Default Port e01de151-a7bd-4db4-b49b-3c4775a5e881 |
Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port (read more) | Documentation |
| RDS Using Default Port 2cb674f6-32f9-40be-97f2-62c0dc38f0d5 |
Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more) | Documentation |
| ElastiCache Using Default Port 7cc6c791-5f68-4816-a564-b9b699f9d26e |
Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more) | Documentation |
| CloudFront Without WAF 22c80725-e390-4055-8d14-a872230f6607 |
Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more) | Documentation |
| ElastiCache Without VPC 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f |
Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more) | Documentation |
| CloudTrail Log File Validation Disabled 4d8681a2-3d30-4c89-8070-08acd142748e |
Low | Observability | CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more) | Documentation |
| Lambda Functions Without X-Ray Tracing 71397b34-1d50-4ee1-97cb-c96c34676f74 |
Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more) | Documentation |
| EC2 Not EBS Optimized 338b6cab-961d-4998-bb49-e5b6a11c9a5c |
Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more) | Documentation |
GCP¶
Bellow are listed queries related with Ansible GCP:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Cloud Storage Anonymous or Publicly Accessible 086031e1-9d4a-4249-acb3-5bfe4c363db2 |
High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more) | Documentation |
| VM With Full Cloud Access bc20bbc6-0697-4568-9a73-85af1dd97bdd |
High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs (read more) | Documentation |
| BigQuery Dataset Is Public 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 |
High | Access Control | BigQuery dataset is anonymously or publicly accessible (read more) | Documentation |
| SQL DB Instance Backup Disabled 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances (read more) | Documentation |
| DNSSEC Using RSASHA1 6cf4c3a7-ceb0-4475-8892-3745b84be24a |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm (read more) | Documentation |
| SQL DB Instance With SSL Disabled d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb |
High | Encryption | Cloud SQL Database Instance should have SLL enabled (read more) | Documentation |
| PostgreSQL Misconfigured Logging Duration Flag aed98a2a-e680-497a-8886-277cea0f4514 |
High | Insecure Configurations | PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more) | Documentation |
| MySQL Instance With Local Infile On a7b520bb-2509-4fb0-be05-bc38f54c7a4c |
High | Insecure Configurations | MySQL Instance should not have Local Infile On (read more) | Documentation |
| Cluster Master Authentication Disabled 9df7f78f-ebe3-432e-ac3b-b67189c15518 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more) | Documentation |
| Private Cluster Disabled 3b30e3d6-c99b-4318-b38f-b99db74578b5 |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more) | Documentation |
| Cluster Labels Disabled fbe9b2d0-a2b7-47a1-a534-03775f3013f7 |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more) | Documentation |
| Cloud SQL Instance With Cross DB Ownership Chaining On 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f |
High | Insecure Configurations | GCP SQL Instance should not have Cross DB Ownership Chaining On (read more) | Documentation |
| Cloud SQL Instance With Contained Database Authentication On 6d34aff3-fdd2-460c-8190-756a3b4969e8 |
High | Insecure Configurations | SQL Instance should not have Contained Database Authentication On (read more) | Documentation |
| IP Aliasing Disabled ed672a9f-fbf0-44d8-a47d-779501b0db05 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more) | Documentation |
| GKE Legacy Authorization Enabled 300a9964-b086-41f7-9378-b6de3ba1c32b |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more) | Documentation |
| GKE Basic Authentication Enabled 344bf8ab-9308-462b-a6b2-697432e40ba1 |
High | Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more) | Documentation |
| SQL DB Instance Publicly Accessible 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b |
High | Insecure Configurations | Cloud SQL instances should not be publicly accessible. (read more) | Documentation |
| Client Certificate Disabled 20180133-a0d0-4745-bfe0-94049fbb12a9 |
High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more) | Documentation |
| Network Policy Disabled 98e04ca0-34f5-4c74-8fec-d2e611ce2790 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more) | Documentation |
| Compute Instance Is Publicly Accessible 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 |
High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. (read more) | Documentation |
| GKE Master Authorized Networks Disabled d43366c5-80b0-45de-bbe8-2338f4ab0a83 |
High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters (read more) | Documentation |
| Stackdriver Logging Disabled 19c9e2a0-fc33-4264-bba1-e3682661e8f7 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more) | Documentation |
| Cloud Storage Bucket Logging Not Enabled 507df964-ad97-4035-ab14-94a82eabdfdd |
High | Observability | Cloud storage bucket should have logging enabled (read more) | Documentation |
| PostgreSQL Logging Of Temporary Files Disabled d6fae5b6-ada9-46c0-8b36-3108a2a2f77b |
High | Observability | PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more) | Documentation |
| Stackdriver Monitoring Disabled 20dcd953-a8b8-4892-9026-9afa6d05a525 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more) | Documentation |
| PostgreSQL Log Connections Disabled d7a5616f-0a3f-4d43-bc2b-29d1a183e317 |
High | Observability | PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more) | Documentation |
| Cloud Storage Bucket Versioning Disabled 7814ddda-e758-4a56-8be3-289a81ded929 |
High | Observability | Cloud Storage Bucket should have versioning enabled (read more) | Documentation |
| Node Auto Upgrade Disabled d6e10477-2e19-4bcd-b8a8-19c65b89ccdf |
High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more) | Documentation |
| Disk Encryption Disabled 092bae86-6105-4802-99d2-99cd7e7431f3 |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more) | Documentation |
| Google Compute SSL Policy Weak Cipher In Use b28bcd2f-c309-490e-ab7c-35fc4023eb26 |
Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more) | Documentation |
| Google Container Node Pool Auto Repair Disabled d58c6f24-3763-4269-9f5b-86b2569a003b |
Medium | Insecure Configurations | Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more) | Documentation |
| Cloud DNS Without DNSSEC 80b15fb1-6207-40f4-a803-6915ae619a03 |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS (read more) | Documentation |
| OSLogin Is Disabled In VM Instance 66dae697-507b-4aef-be18-eec5bd707f33 |
Medium | Insecure Configurations | VM instance should have OSLogin enabled (read more) | Documentation |
| Using Default Service Account 2775e169-e708-42a9-9305-b58aadd2c4dd |
Medium | Insecure Configurations | Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more) | Documentation |
| Shielded VM Disabled 18d3a83d-4414-49dc-90ea-f0387b2856cc |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more) | Documentation |
| COS Node Image Not Used be41f891-96b1-4b9d-b74f-b922a918c778 |
Medium | Insecure Configurations | The node image should be Container-Optimized OS(COS) (read more) | Documentation |
| GKE Using Default Service Account dc126833-125a-40fb-905a-ce5f2afde240 |
Medium | Insecure Defaults | Kubernetes Engine Clusters should not be configured to use the default service account (read more) | Documentation |
| Serial Ports Are Enabled For VM Instances c6fc6f29-dc04-46b6-99ba-683c01aff350 |
Medium | Networking and Firewall | Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more) | Documentation |
| SSH Access Is Not Restricted b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 |
Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more) | Documentation |
| RDP Access Is Not Restricted 75418eb9-39ec-465f-913c-6f2b6a80dc77 |
Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more) | Documentation |
| Google Compute Network Using Firewall Rule that Allows All Ports 3602d273-3290-47b2-80fa-720162b1a8af |
Medium | Networking and Firewall | Google Compute Network should not use a firewall rule that allows all ports (read more) | Documentation |
| Google Compute Network Using Default Firewall Rule 29b8224a-60e9-4011-8ac2-7916a659841f |
Medium | Networking and Firewall | Google Compute Network should not use default firewall rule (read more) | Documentation |
| IP Forwarding Enabled 11bd3554-cd56-4257-8e25-7aaf30cf8f5f |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more) | Documentation |
| PostgreSQL log_checkpoints Flag Not Set To ON 89afe3f0-4681-4ce3-89ed-896cebd4277c |
Medium | Observability | PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more) | Documentation |
| PostgreSQL Misconfigured Log Messages Flag 28a757fc-3d8f-424a-90c0-4233363b2711 |
Medium | Observability | PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more) | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 099b4411-d11e-4537-a0fc-146b19762a79 |
Medium | Secret Management | VM Instance should block project-wide SSH keys (read more) | Documentation |
| High Google KMS Crypto Key Rotation Period f9b7086b-deb8-4034-9330-d7fd38f1b8de |
Medium | Secret Management | KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more) | Documentation |
| Google Compute Subnetwork with Private Google Access Disabled 6a4080ae-79bd-42f6-a924-8f534c1c018b |
Low | Networking and Firewall | Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more) | Documentation |
| Google Compute Network Using Firewall Rule that Allows Port Range 7289eebd-a477-4064-8ad4-3c044bd70b00 |
Low | Networking and Firewall | Google Compute Network should not use a firewall rule that allows port range (read more) | Documentation |
CONFIG¶
Bellow are listed queries related with Ansible CONFIG:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Allow Unsafe Lookups Enabled 86b97bb4-85c9-462d-8635-cbc057c5c8c5 |
High | Insecure Configurations | When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more) | Documentation |
| Privilege Escalation Using Become Plugin 404908b6-4954-4611-98f0-e8ceacdabcb1 |
Medium | Access Control | In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more) | Documentation |
| Communication over HTTP d7dc9350-74bc-485b-8c85-fed22d276c43 |
Medium | Insecure Configurations | Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more) | Documentation |
| Logging of Sensitive Data c6473dae-8477-4119-88b7-b909b435ce7b |
Low | Best Practices | To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more) | Documentation |
HOSTS¶
Bellow are listed queries related with Ansible HOSTS:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Ansible Tower Exposed To Internet 1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc |
Medium | Best Practices | Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more) | Documentation |