Skip to content

Ansible

Ansible Queries List

This page contains all queries from Ansible.

AZURE

Bellow are listed queries related with Ansible AZURE:

Query Severity Category Description Help
Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd
High Access Control Storage Account should not be public to grant the principle of least privileges (read more) Documentation
Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f
High Access Control Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more) Documentation
Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604
High Access Control Admin user is enabled for Container Registry (read more) Documentation
Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0
High Best Practices Azure Instances should use SSH Key instead of basic authentication (read more) Documentation
SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555
High Encryption Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more) Documentation
Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522
High Encryption Storage Accounts should enforce the use of HTTPS (read more) Documentation
MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6
High Encryption Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more) Documentation
Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91
High Insecure Configurations Web app should only accept HTTPS traffic in Azure Web App Service. (read more) Documentation
Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5
High Insecure Configurations Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more) Documentation
AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f
High Insecure Configurations The Active Directory Administrator is not configured for a SQL server (read more) Documentation
VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce
High Insecure Configurations No Network Security Group is attached to the Virtual Machine (read more) Documentation
Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc
High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more) Documentation
Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de
High Networking and Firewall Trusted Microsoft Services should be enabled for Storage Account access (read more) Documentation
CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717
High Networking and Firewall The IP range filter should be defined to secure the data stored (read more) Documentation
SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039
High Networking and Firewall Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more) Documentation
Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from other Azure sources (read more) Documentation
Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from the Internet (read more) Documentation
Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157
Medium Access Control Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more) Documentation
Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307
Medium Access Control Make sure that your Azure Storage Account access is limited to those who require it. (read more) Documentation
AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39
Medium Access Control Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more) Documentation
Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854
Medium Backup Make sure Soft Delete is enabled for Key Vault (read more) Documentation
SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40
Medium Best Practices Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more) Documentation
SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308
Medium Best Practices Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more) Documentation
Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e
Medium Build Process Cosmos DB Account must have a mapping of tags. (read more) Documentation
Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee
Medium Encryption Ensure Storage Account is using the latest version of TLS encryption (read more) Documentation
Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f
Medium Insecure Configurations Redis Cache resources should not allow non-SSL connections (read more) Documentation
Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f
Medium Insecure Configurations Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more) Documentation
AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c
Medium Insecure Configurations Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more) Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049
Medium Networking and Firewall Check if any firewall rule allows too many hosts to access Redis Cache. (read more) Documentation
Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f
Medium Networking and Firewall Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more) Documentation
WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255
Medium Networking and Firewall Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more) Documentation
PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more) Documentation
PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a
Medium Observability Ensure that Connection Throttling is set for the PostgreSQL server (read more) Documentation
PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more) Documentation
Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more) Documentation
PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more) Documentation
Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326
Medium Observability Ensure that Activity Log Retention is set 365 days or greater (read more) Documentation
Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168
Medium Observability Monitoring log profile captures all the activities (Action, Write, Delete) (read more) Documentation
PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21
Medium Observability Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more) Documentation
AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e
Medium Observability Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more) Documentation

SHARED (V2/V3)

Bellow are listed queries related with Ansible SHARED (V2/V3):

Query Severity Category Description Help
Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95
Medium Access Control In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more) Documentation
Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3
Medium Insecure Configurations Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more) Documentation
Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244
Low Best Practices Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more) Documentation
Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc
Low Best Practices To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more) Documentation
Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8
Low Supply-Chain Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more) Documentation
Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f
Info Supply-Chain Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more) Documentation

AWS

Bellow are listed queries related with Ansible AWS:

Query Severity Category Description Help
S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e
High Access Control S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more) Documentation
S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d
High Access Control S3 Buckets should not be readable to all users (read more) Documentation
IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8
High Access Control IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more) Documentation
ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e
High Access Control ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more) Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674
High Access Control S3 Buckets should not be readable to any authenticated user (read more) Documentation
IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba
High Access Control IAM policies shouldn't allow full administrative privileges (for all resources) (read more) Documentation
SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a
High Access Control Checks if the SQS Queue is exposed (read more) Documentation
S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a
High Access Control Checks if the S3 bucket is accessible for all users (read more) Documentation
S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163
High Access Control S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more) Documentation
S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec
High Access Control S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more) Documentation
SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73
High Access Control SNS Topic Policy should not allow any principal to access (read more) Documentation
Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1
High Access Control Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more) Documentation
S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf
High Access Control S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more) Documentation
S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab
High Access Control S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more) Documentation
User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89
High Encryption User Data Shell Script must be encoded (read more) Documentation
IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4
High Encryption IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more) Documentation
S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4
High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more) Documentation
EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e
High Encryption Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more) Documentation
S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571
High Encryption AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more) Documentation
CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce
High Encryption The CA certificate Identifier must be 'rds-ca-2019'. (read more) Documentation
ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a
High Encryption ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more) Documentation
Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268
High Encryption Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more) Documentation
Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709
High Encryption Check if secure ciphers aren't used in CloudFront (read more) Documentation
Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7
High Encryption AWS Kinesis Streams and metadata should be protected with KMS (read more) Documentation
DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
High Encryption AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more) Documentation
AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830
High Encryption AWS AMI Encryption is not enabled (read more) Documentation
ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892
High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more) Documentation
User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e
High Encryption User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more) Documentation
ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5
High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more) Documentation
Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a
High Encryption Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more) Documentation
Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76
High Encryption Checks if the connection between CloudFront and the viewer is encrypted (read more) Documentation
Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd
High Encryption AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more) Documentation
EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20
High Encryption Elastic File System (EFS) must be encrypted (read more) Documentation
Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610
High Insecure Configurations AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more) Documentation
EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a
High Insecure Configurations The CIDR IP should not be a public interface (read more) Documentation
KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47
High Insecure Configurations The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more) Documentation
S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c
High Insecure Configurations If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more) Documentation
RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209
High Insecure Configurations RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more) Documentation
ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f
High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more) Documentation
Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f
High Insecure Configurations Batch Job Definition should not have Privileged Container Properties (read more) Documentation
Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40
High Insecure Configurations The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more) Documentation
CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67
High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 (read more) Documentation
Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4
High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more) Documentation
HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e
High Networking and Firewall The HTTP port is open to the internet in a Security Group (read more) Documentation
Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33
High Networking and Firewall AWS Security Group should not have public port wide (read more) Documentation
Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77
High Networking and Firewall 'SSH' (TCP:22) should not be public in AWS Security Group (read more) Documentation
DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad
High Networking and Firewall The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more) Documentation
Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4
High Networking and Firewall Route53 Record should have a list of records (read more) Documentation
Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2
High Networking and Firewall Security groups allow ingress from 0.0.0.0/0 (read more) Documentation
EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1
High Networking and Firewall EC2 Instance should not have a public IP address. (read more) Documentation
Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d
High Networking and Firewall Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more) Documentation
Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b
High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet (read more) Documentation
Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd
High Networking and Firewall Check if default security group does not restrict all inbound and outbound traffic. (read more) Documentation
Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81
High Networking and Firewall AWS Security Group should restrict ingress access (read more) Documentation
RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8
High Networking and Firewall RDS should not run in public subnet (read more) Documentation
ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895
High Networking and Firewall AWS Application Load Balancer (alb) should not listen on HTTP (read more) Documentation
Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341
High Networking and Firewall The Remote Desktop port is open to the internet in a Security Group (read more) Documentation
DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640
High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. (read more) Documentation
CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5
High Observability Checks if logging is enabled for CloudTrail. (read more) Documentation
CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1
High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more) Documentation
SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10
Medium Access Control Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more) Documentation
S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9
Medium Access Control S3 Bucket allows public access (read more) Documentation
SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4
Medium Access Control SQS policy allows ALL (*) actions (read more) Documentation
Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9
Medium Access Control Allowing to run lambda function using public API Gateway (read more) Documentation
Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a
Medium Access Control Lambda Permission Principal should not contain a wildcard. (read more) Documentation
IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f
Medium Access Control Check if IAM Access Key is active for some user besides 'root' (read more) Documentation
IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060
Medium Access Control IAM policies should be attached only to groups or roles (read more) Documentation
API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc
Medium Access Control API Gateway REST API should have an API Gateway Authorizer (read more) Documentation
AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f
Medium Access Control Limits access to AWS AMIs by checking if more than one account is using the same image (read more) Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda
Medium Access Control Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more) Documentation
Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22
Medium Access Control Expired SSL/TLS certificates should be removed (read more) Documentation
ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd
Medium Access Control Amazon ECR image repositories shouldn't have public access (read more) Documentation
SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad
Medium Access Control SES policy should not allow IAM actions to all principals (read more) Documentation
CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4
Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more) Documentation
ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84
Medium Availability ECS Service should have at least 1 task running (read more) Documentation
Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f
Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more) Documentation
RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96
Medium Backup Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more) Documentation
Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7
Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more) Documentation
IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951
Medium Best Practices IAM Password should have at least one lowercase letter (read more) Documentation
IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8
Medium Best Practices IAM user resource Login Profile Password should have at least one number (read more) Documentation
IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d
Medium Best Practices IAM password should have the required minimum length (read more) Documentation
Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c
Medium Best Practices Password policy password_reuse_prevention doesn't exist or is equal to 0 (read more) Documentation
IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354
Medium Best Practices IAM password should have at least one uppercase letter (read more) Documentation
Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9
Medium Best Practices No password expiration policy (read more) Documentation
Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145
Medium Build Process AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more) Documentation
Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84
Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. (read more) Documentation
Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89
Medium Encryption Check if the Memcached is disabled on the ElastiCache (read more) Documentation
SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb
Medium Encryption Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more) Documentation
EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57
Medium Encryption EBS volumes should be encrypted (read more) Documentation
CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9
Medium Encryption CodeBuild Project should be encrypted (read more) Documentation
API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33
Medium Insecure Configurations SSL Client Certificate should be enabled (read more) Documentation
ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789
Medium Insecure Configurations ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more) Documentation
Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5
Medium Insecure Configurations AWS Lambda Functions must have associated tags. (read more) Documentation
Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f
Medium Insecure Configurations EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more) Documentation
Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31
Medium Insecure Configurations The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more) Documentation
AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472
Medium Insecure Configurations Unchangeable passwords in AWS password policy (read more) Documentation
API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215
Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more) Documentation
API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b
Medium Networking and Firewall API Gateway should have WAF (Web Application Firewall) enabled (read more) Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac
Medium Networking and Firewall Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more) Documentation
API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f
Medium Observability API Gateway should have X-Ray Tracing enabled (read more) Documentation
API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a
Medium Observability AWS CloudWatch Logs for APIs is not enabled (read more) Documentation
S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5
Medium Observability S3 bucket should have versioning enabled (read more) Documentation
Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96
Medium Observability AWS Config Configuration Aggregator All Regions must be set to True (read more) Documentation
S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d
Medium Observability Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more) Documentation
CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd
Medium Observability AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more) Documentation
CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98
Medium Observability CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more) Documentation
CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24
Medium Observability AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more) Documentation
Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58
Medium Observability AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more) Documentation
CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3
Medium Observability CloudTrail should be integrated with CloudWatch (read more) Documentation
CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92
Medium Observability Check if SNS topic name is set for CloudTrail (read more) Documentation
No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9
Medium Resource Management AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more) Documentation
Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c
Medium Secret Management AWS Access Key should not be hardcoded (read more) Documentation
Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645
Medium Secret Management Lambda access/secret keys should not be hardcoded (read more) Documentation
IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193
Low Access Control IAM Group should have at least one user associated (read more) Documentation
IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd
Low Access Control IAM role allows all services or principals to assume it (read more) Documentation
EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c
Low Access Control EC2 instances should not use default security group(s) (read more) Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c
Low Access Control IAM Policy should not grant 'AssumeRole' permission across all services. (read more) Documentation
CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6
Low Best Practices Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more) Documentation
Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94
Low Best Practices RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more) Documentation
Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520
Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more) Documentation
EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851
Low Build Process Amazon Elastic Filesystem should have filesystem tags associated (read more) Documentation
CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b
Low Encryption Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more) Documentation
EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029
Low Networking and Firewall EC2 Instances should not be configured under a default VPC network (read more) Documentation
Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881
Low Networking and Firewall Redshift should not use the default port (5439) because an attacker can easily guess the port (read more) Documentation
RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5
Low Networking and Firewall RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more) Documentation
ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e
Low Networking and Firewall ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more) Documentation
CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607
Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more) Documentation
ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f
Low Networking and Firewall ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more) Documentation
CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e
Low Observability CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more) Documentation
Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74
Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more) Documentation
EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c
Info Best Practices It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more) Documentation

GCP

Bellow are listed queries related with Ansible GCP:

Query Severity Category Description Help
Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2
High Access Control Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more) Documentation
VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd
High Access Control A VM instance is configured to use the default service account with full access to all Cloud APIs (read more) Documentation
BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2
High Access Control BigQuery dataset is anonymously or publicly accessible (read more) Documentation
SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8
High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances (read more) Documentation
DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a
High Encryption DNSSEC should not use the RSASHA1 algorithm (read more) Documentation
SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb
High Encryption Cloud SQL Database Instance should have SLL enabled (read more) Documentation
PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514
High Insecure Configurations PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more) Documentation
MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c
High Insecure Configurations MySQL Instance should not have Local Infile On (read more) Documentation
Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518
High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more) Documentation
Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5
High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more) Documentation
Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7
High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more) Documentation
Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f
High Insecure Configurations GCP SQL Instance should not have Cross DB Ownership Chaining On (read more) Documentation
Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8
High Insecure Configurations SQL Instance should not have Contained Database Authentication On (read more) Documentation
IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05
High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more) Documentation
GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b
High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more) Documentation
GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1
High Insecure Configurations GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more) Documentation
SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b
High Insecure Configurations Cloud SQL instances should not be publicly accessible. (read more) Documentation
Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9
High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more) Documentation
Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790
High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more) Documentation
Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82
High Networking and Firewall Compute instances shouldn't be accessible from the Internet. (read more) Documentation
GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83
High Networking and Firewall Master authorized networks must be enabled in GKE clusters (read more) Documentation
Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7
High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more) Documentation
Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd
High Observability Cloud storage bucket should have logging enabled (read more) Documentation
PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b
High Observability PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more) Documentation
Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525
High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more) Documentation
PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317
High Observability PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more) Documentation
Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929
High Observability Cloud Storage Bucket should have versioning enabled (read more) Documentation
Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf
High Resource Management Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more) Documentation
Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3
Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more) Documentation
Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26
Medium Encryption This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more) Documentation
Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b
Medium Insecure Configurations Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more) Documentation
Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03
Medium Insecure Configurations DNSSEC must be enabled for Cloud DNS (read more) Documentation
OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33
Medium Insecure Configurations VM instance should have OSLogin enabled (read more) Documentation
Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd
Medium Insecure Configurations Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more) Documentation
Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc
Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more) Documentation
COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778
Medium Insecure Configurations The node image should be Container-Optimized OS(COS) (read more) Documentation
GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240
Medium Insecure Defaults Kubernetes Engine Clusters should not be configured to use the default service account (read more) Documentation
Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350
Medium Networking and Firewall Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more) Documentation
SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016
Medium Networking and Firewall Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more) Documentation
RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77
Medium Networking and Firewall Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more) Documentation
Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af
Medium Networking and Firewall Google Compute Network should not use a firewall rule that allows all ports (read more) Documentation
Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f
Medium Networking and Firewall Google Compute Network should not use default firewall rule (read more) Documentation
IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f
Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more) Documentation
PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c
Medium Observability PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more) Documentation
PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711
Medium Observability PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more) Documentation
Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79
Medium Secret Management VM Instance should block project-wide SSH keys (read more) Documentation
High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de
Medium Secret Management KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more) Documentation
Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b
Low Networking and Firewall Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more) Documentation
Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00
Low Networking and Firewall Google Compute Network should not use a firewall rule that allows port range (read more) Documentation

CONFIG

Bellow are listed queries related with Ansible CONFIG:

Query Severity Category Description Help
Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5
High Insecure Configurations When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more) Documentation
Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1
Medium Access Control In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more) Documentation
Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43
Medium Insecure Configurations Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more) Documentation
Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b
Low Best Practices To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more) Documentation

HOSTS

Bellow are listed queries related with Ansible HOSTS:

Query Severity Category Description Help
Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc
Medium Best Practices Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more) Documentation