Skip to content

CloudFormation

CloudFormation Queries List

This page contains all queries from CloudFormation.

AWS

Bellow are listed queries related with CloudFormation AWS:

Query Severity Category Description Help
S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58
High Access Control S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more) Documentation
S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170
High Access Control S3 Buckets should not be readable to all users (read more) Documentation
ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff
High Access Control ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more) Documentation
S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252
High Access Control S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more) Documentation
S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9
High Access Control S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more) Documentation
S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085
High Access Control The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more) Documentation
SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13
High Access Control SNS Topic Policy should not allow any principal to access (read more) Documentation
S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9
High Access Control S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more) Documentation
IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368
High Access Control IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more) Documentation
S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced
High Access Control S3 Buckets should not be readable and writable to all users (read more) Documentation
MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab
High Access Control Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more) Documentation
Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69
High Access Control AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more) Documentation
S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0
High Access Control S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more) Documentation
S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69
High Access Control S3 bucket allows public policy (read more) Documentation
S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba
High Access Control S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more) Documentation
IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661
High Access Control IAM policies shouldn't allow full administrative privileges (for all resources) (read more) Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f
High Access Control S3 Buckets should not be readable to any authenticated user (read more) Documentation
Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63
High Access Control Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more) Documentation
Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1
High Encryption Checks if the connection between CloudFront and the viewer is encrypted (read more) Documentation
Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388
High Encryption Checks if the connection between the CloudFront and the origin server is encrypted (read more) Documentation
ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c
High Encryption Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more) Documentation
ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821
High Encryption Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more) Documentation
Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e
High Encryption AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more) Documentation
S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9
High Encryption S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more) Documentation
MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768
High Encryption Ensure MSK Cluster encryption in rest and transit is enabled (read more) Documentation
EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6
High Encryption Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more) Documentation
S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5
High Encryption S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more) Documentation
User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be
High Encryption User Data Shell Script must be encoded (read more) Documentation
ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad
High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more) Documentation
RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630
High Encryption RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more) Documentation
ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8
High Encryption ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more) Documentation
ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190
High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more) Documentation
User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288
High Encryption User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more) Documentation
Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78
High Encryption AWS Redshift Cluster should have KMS CMK defined (read more) Documentation
ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68
High Encryption Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more) Documentation
IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184
High Encryption IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more) Documentation
ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8
High Encryption Check if the ELB is setup with SSL or HTTPS for secure communication (read more) Documentation
SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe
High Encryption Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more) Documentation
API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b
High Encryption 'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more) Documentation
EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658
High Encryption Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more) Documentation
Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650
High Encryption AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more) Documentation
DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac
High Encryption AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more) Documentation
S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61
High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more) Documentation
CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84
High Encryption Ensure that storage is encrypted. (read more) Documentation
EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622
High Encryption Elastic File System (EFS) must be encrypted (read more) Documentation
Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c
High Encryption Check if secure ciphers aren't used in CloudFront (read more) Documentation
CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db
High Encryption Specifying credentials in the template itself is probably not safe to do. (read more) Documentation
API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e
High Insecure Configurations API Gateway should have a Security Policy defined and use TLS 1.2. (read more) Documentation
KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba
High Insecure Configurations The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more) Documentation
DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007
High Insecure Configurations RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more) Documentation
Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36
High Insecure Configurations Batch Job Definition should not have Privileged Container Properties (read more) Documentation
Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3
High Insecure Configurations AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more) Documentation
CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303
High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 (read more) Documentation
Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf
High Insecure Configurations The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more) Documentation
S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583
High Insecure Configurations If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more) Documentation
S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317
High Insecure Configurations Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more) Documentation
S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c
High Insecure Configurations S3 bucket without restriction of public bucket (read more) Documentation
ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45
High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more) Documentation
Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40
High Insecure Defaults WebAcl DefaultAction should not be ALLOW (read more) Documentation
Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041
High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more) Documentation
Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c
High Networking and Firewall No security group should allow unrestricted egress access (read more) Documentation
Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2
High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet (read more) Documentation
Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14
High Networking and Firewall AWS Security Group Ingress CIDR should not be open to the world (read more) Documentation
ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4
High Networking and Firewall The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more) Documentation
RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091
High Networking and Firewall RDS should not run in public subnet (read more) Documentation
Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151
High Networking and Firewall Route53 HostedZone must have the Record Set defined. (read more) Documentation
Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205
High Networking and Firewall Check if default security group does not restrict all inbound and outbound traffic. (read more) Documentation
EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3
High Networking and Firewall Ensure Amazon EKS Node group has implict SSH access (read more) Documentation
EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a
High Networking and Firewall EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more) Documentation
Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf
High Networking and Firewall Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more) Documentation
DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79
High Networking and Firewall The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more) Documentation
Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1
High Networking and Firewall 'SSH' (TCP:22) should not be public in AWS Security Group (read more) Documentation
Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5
High Networking and Firewall ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more) Documentation
Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7
High Networking and Firewall Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more) Documentation
DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899
High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. (read more) Documentation
SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36
High Networking and Firewall SageMaker Notebook must be placed in a VPC (read more) Documentation
HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa
High Networking and Firewall The HTTP port is open to the internet in a Security Group (read more) Documentation
EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c
High Networking and Firewall EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more) Documentation
Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a
High Networking and Firewall The Remote Desktop port is open to the internet in a Security Group (read more) Documentation
Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002
High Networking and Firewall Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more) Documentation
EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed
High Networking and Firewall The EC2 instance has a sensitive port connection exposed to the entire network (read more) Documentation
Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48
High Networking and Firewall Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more) Documentation
ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32
High Networking and Firewall AWS Application Load Balancer (alb) should not listen on HTTP (read more) Documentation
EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576
High Networking and Firewall NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more) Documentation
CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5
High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more) Documentation
CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0
High Observability Checks if logging is enabled for CloudTrail. (read more) Documentation
S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c
High Observability Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more) Documentation
EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2
Medium Access Control Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more) Documentation
KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba
Medium Access Control KMS Should not allow Principal parameter to be set as * (read more) Documentation
IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5
Medium Access Control IAM policies should be attached only to groups or roles (read more) Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195
Medium Access Control SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more) Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7
Medium Access Control Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more) Documentation
SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034
Medium Access Control Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using NotPrincipal in the same policy statement as "Effect": "Allow". (read more) Documentation
EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6
Medium Access Control Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more) Documentation
Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7
Medium Access Control Lambda Permission Principal should not contain a wildcard. (read more) Documentation
Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02
Medium Access Control Neptune Cluster should have IAM Database Authentication enabled (read more) Documentation
IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade
Medium Access Control IAM policies should be applied to groups and not to users (read more) Documentation
IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5
Medium Access Control IoT Policy should not allow Action to be set as * (read more) Documentation
API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f
Medium Access Control An API Key should be required on a method request. (read more) Documentation
IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3
Medium Access Control IoT Policy should not allow Resource to be set as * (read more) Documentation
SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de
Medium Access Control AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more) Documentation
Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb
Medium Access Control Check if any ECS cluster has not defined proper roles for services' task definitions. (read more) Documentation
Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2
Medium Access Control Allowing to run lambda function using public API Gateway (read more) Documentation
API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28
Medium Access Control API Gateway REST API should have an API Gateway Authorizer (read more) Documentation
S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26
Medium Access Control S3 bucket allows public ACL (read more) Documentation
Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705
Medium Access Control AWS Elasticsearch should ensure IAM Authentication (read more) Documentation
ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134
Medium Access Control Amazon ECR image repositories shouldn't have public access (read more) Documentation
SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d
Medium Access Control Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more) Documentation
EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b
Medium Availability EBS Volumes that are unattached to instances may contain sensitive data (read more) Documentation
Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c
Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more) Documentation
ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150
Medium Availability ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more) Documentation
CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602
Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more) Documentation
ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528
Medium Availability ECS Service should have at least 1 task running (read more) Documentation
Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f
Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more) Documentation
Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d
Medium Backup AWS RDS backup retention policy should be at least 7 days (read more) Documentation
RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69
Medium Backup AWS RDS Instance should have a multi-az deployment (read more) Documentation
RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9
Medium Backup Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more) Documentation
Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc
Medium Best Practices AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more) Documentation
IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1
Medium Best Practices IAM password should have the required minimum length (read more) Documentation
ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d
Medium Best Practices Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more) Documentation
IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f
Medium Best Practices Make sure that any managed IAM policies are implemented in a group and not in a user. (read more) Documentation
IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7
Medium Best Practices IAM password should have the required symbols (read more) Documentation
IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955
Medium Best Practices IAM user resource Login Profile Password should have at least one number (read more) Documentation
IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902
Medium Best Practices IAM password should have at least one uppercase letter (read more) Documentation
IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497
Medium Best Practices IAM Password should have at least one lowercase letter (read more) Documentation
IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a
Medium Best Practices IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more) Documentation
IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540
Medium Encryption IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more) Documentation
AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f
Medium Encryption AmazonMQ Broker should have Encryption Options defined (read more) Documentation
ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1
Medium Encryption Check if any ElasticSearch domain isn't encrypted with KMS. (read more) Documentation
Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35
Medium Encryption Checks if the ECR Image has been scanned (read more) Documentation
SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354
Medium Encryption KmsKeyId attribute should be defined (read more) Documentation
RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95
Medium Encryption RDS DBCluster should have storage encrypted set to true (read more) Documentation
Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc
Medium Encryption When StorageEncrypted is set to true, KmsKeyId should be defined, to avoid the use of the default KMS Key (read more) Documentation
CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85
Medium Encryption Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more) Documentation
ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb
Medium Encryption Check if ElasticSearch encryption is disabled at Rest (read more) Documentation
CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad
Medium Encryption CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more) Documentation
Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d
Medium Encryption Check if the Memcached is disabled on the ElastiCache (read more) Documentation
Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111
Medium Encryption Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more) Documentation
Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9
Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. (read more) Documentation
KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb
Medium Encryption EnableKeyRotation should not be false or undefined (read more) Documentation
Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93
Medium Encryption Neptune database cluster storage should have encryption enabled (read more) Documentation
EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9
Medium Encryption EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more) Documentation
DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f
Medium Encryption AWS DynamoDB Tables should have server-side encryption (read more) Documentation
SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1
Medium Encryption Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more) Documentation
EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162
Medium Encryption EBS volumes should be encrypted (read more) Documentation
API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a
Medium Encryption API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more) Documentation
Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db
Medium Encryption Workspaces should have encryption enabled (read more) Documentation
GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1
Medium Insecure Configurations Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more) Documentation
EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23
Medium Insecure Configurations EMR Cluster should have security configuration defined. (read more) Documentation
SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11
Medium Insecure Configurations SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more) Documentation
API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0
Medium Insecure Configurations API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more) Documentation
IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54
Medium Insecure Configurations Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more) Documentation
Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583
Medium Insecure Configurations AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more) Documentation
IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1
Medium Insecure Configurations IAM User LoginProfile Password must not be a plaintext string (read more) Documentation
ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac
Medium Insecure Configurations ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more) Documentation
API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25
Medium Insecure Configurations SSL Client Certificate should be enabled (read more) Documentation
Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861
Medium Insecure Configurations EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more) Documentation
MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61
Medium Insecure Configurations Check if any MQ Broker is not publicly accessible (read more) Documentation
Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd
Medium Insecure Configurations Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more) Documentation
Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46
Medium Insecure Configurations AWS Lambda Functions must have associated tags. (read more) Documentation
RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944
Medium Insecure Defaults NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more) Documentation
S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738
Medium Insecure Defaults Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more) Documentation
ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845
Medium Networking and Firewall An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more) Documentation
Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16
Medium Networking and Firewall AWS Security Group Ingress should have a single port (read more) Documentation
API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34
Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more) Documentation
VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9
Medium Networking and Firewall VPC should have a Network Firewall associated (read more) Documentation
Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610
Medium Networking and Firewall AWS Security Group Egress should have a single port (read more) Documentation
API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b
Medium Networking and Firewall API Gateway should have WAF (Web Application Firewall) enabled (read more) Documentation
ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c
Medium Networking and Firewall An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more) Documentation
Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558
Medium Networking and Firewall Security Groups must have a VPC. (read more) Documentation
TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163
Medium Networking and Firewall TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more) Documentation
Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a
Medium Networking and Firewall AWS Security Group Egress CIDR should not be open to the world (read more) Documentation
EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88
Medium Networking and Firewall To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more) Documentation
ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b
Medium Networking and Firewall All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more) Documentation
Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c
Medium Networking and Firewall AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more) Documentation
GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd
Medium Networking and Firewall AWS GameLift Fleet EC2InboundPermissions should have a single port (read more) Documentation
Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b
Medium Networking and Firewall AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more) Documentation
Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d
Medium Observability AWS Config Configuration Aggregator All Regions must be set to True (read more) Documentation
ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8
Medium Observability Ensure that AWS Elasticsearch enables support for slow logs (read more) Documentation
Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7
Medium Observability AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more) Documentation
API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941
Medium Observability API Gateway Stage should have Access Logging Settings defined (read more) Documentation
API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5
Medium Observability API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more) Documentation
CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642
Medium Observability AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more) Documentation
MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b
Medium Observability Ensure MSK Cluster Logging is enabled (read more) Documentation
ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028
Medium Observability ELB should have access log enabled (read more) Documentation
GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac
Medium Observability Make sure that Amazon GuardDuty is Enabled (read more) Documentation
S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c
Medium Observability Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more) Documentation
CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7
Medium Observability CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more) Documentation
CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0
Medium Observability Check if CloudWatch logging is disabled for Route53 hosted zones (read more) Documentation
CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf
Medium Observability Checks if CloudWatch Metrics is Enabled (read more) Documentation
ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621
Medium Observability ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more) Documentation
S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54
Medium Observability S3 bucket should have versioning enabled (read more) Documentation
CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44
Medium Observability CloudTrail should be integrated with CloudWatch (read more) Documentation
Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6
Medium Observability Make sure Logging is enabled for Redshift Cluster (read more) Documentation
Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996
Medium Observability AWS Elasticsearch should have logs enabled (read more) Documentation
API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de
Medium Observability API Gateway should have X-Ray Tracing enabled (read more) Documentation
CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3
Medium Observability Check if SNS topic name is set for CloudTrail (read more) Documentation
MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050
Medium Observability Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more) Documentation
Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db
Medium Secret Management Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) Documentation
SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52
Medium Secret Management KmsMasterKeyId attribute should not be undefined (read more) Documentation
DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024
Medium Secret Management DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) Documentation
Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696
Medium Secret Management Lambda access/secret keys should not be hardcoded (read more) Documentation
RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189
Medium Secret Management Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more) Documentation
Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69
Medium Secret Management Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) Documentation
Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7
Medium Secret Management Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) Documentation
DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d
Medium Secret Management DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) Documentation
Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22
Medium Secret Management Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more) Documentation
Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989
Medium Secret Management DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) Documentation
Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7
Medium Secret Management Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more) Documentation
Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be
Medium Secret Management Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) Documentation
EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42
Medium Secret Management EBS Volume should specify a KmsKeyId value (read more) Documentation
DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d
Medium Secret Management DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more) Documentation
High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2
Medium Secret Management ConfigRule should enforce access keys to be rotated within 90 days. (read more) Documentation
Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744
Low Access Control Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more) Documentation
EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279
Low Access Control EC2 instances should not use default security group(s) (read more) Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6
Low Access Control IAM Policy should not grant 'AssumeRole' permission across all services. (read more) Documentation
IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c
Low Access Control IAM Group should have at least one user associated (read more) Documentation
IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e
Low Access Control A IAM user should belong to a group (read more) Documentation
IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6
Low Access Control IAM role allows all services or principals to assume it (read more) Documentation
VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e
Low Availability The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more) Documentation
RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e
Low Backup RDS DBInstance should have deletion protection set to true (read more) Documentation
Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa
Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more) Documentation
Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195
Low Best Practices Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more) Documentation
CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2
Low Best Practices Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more) Documentation
Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281
Low Best Practices RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more) Documentation
IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da
Low Best Practices IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more) Documentation
Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd
Low Best Practices AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more) Documentation
IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512
Low Best Practices IAM policy should not apply directly to users, should be with a group (read more) Documentation
EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162
Low Build Process Amazon Elastic Filesystem should have filesystem tags associated (read more) Documentation
DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6
Low Build Process Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more) Documentation
API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d
Low Insecure Configurations AWS API Gateway should have cache clustering enabled (read more) Documentation
Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d
Low Insecure Configurations AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more) Documentation
Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131
Low Insecure Configurations ACM Certificate should not use wildcards (*) in the domain name (read more) Documentation
S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a
Low Insecure Configurations S3 bucket without ignore public ACL (read more) Documentation
Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a
Low Networking and Firewall Redshift should not use the default port (5439) because an attacker can easily guess the port (read more) Documentation
RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b
Low Networking and Firewall RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more) Documentation
EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe
Low Networking and Firewall A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more) Documentation
Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf
Low Networking and Firewall AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more) Documentation
CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d
Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more) Documentation
EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3
Low Networking and Firewall Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more) Documentation
EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e
Low Networking and Firewall EC2 Instances should not be configured under a default VPC network (read more) Documentation
ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b
Low Networking and Firewall ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more) Documentation
ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e
Low Networking and Firewall ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more) Documentation
ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd
Low Observability Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more) Documentation
Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c
Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more) Documentation
VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b
Low Observability Every VPC resource should have an associated Flow Log (read more) Documentation
CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8
Low Observability CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more) Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca
Low Observability API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more) Documentation
VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a
Low Resource Management VPCs without attached subnets may indicate that they are not being used (read more) Documentation
API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071
Low Resource Management API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more) Documentation
SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d
Low Resource Management SimpleDB Domain resource should not be declared (read more) Documentation
ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51
Low Resource Management In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more) Documentation
EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40
Info Best Practices It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more) Documentation
Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5
Info Best Practices It's considered a best practice for AWS Security Group to have a description (read more) Documentation
EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0
Info Observability EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more) Documentation

AWS_BOM

Bellow are listed queries related with CloudFormation AWS_BOM:

Query Severity Category Description Help
BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4
Trace Bill Of Materials A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more) Documentation
BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb
Trace Bill Of Materials A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more) Documentation
BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c
Trace Bill Of Materials A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more) Documentation
BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b
Trace Bill Of Materials A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more) Documentation
BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef
Trace Bill Of Materials A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more) Documentation
BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df
Trace Bill Of Materials A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more) Documentation
BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2
Trace Bill Of Materials A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more) Documentation
BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16
Trace Bill Of Materials A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more) Documentation
BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136
Trace Bill Of Materials A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more) Documentation
BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea
Trace Bill Of Materials A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more) Documentation
BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c
Trace Bill Of Materials A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more) Documentation
BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83
Trace Bill Of Materials A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more) Documentation

AWS_SAM

Bellow are listed queries related with CloudFormation AWS_SAM:

Query Severity Category Description Help
Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572
High Encryption AWS Serverless Function should encrypt environment variables (read more) Documentation
Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800
Medium Encryption AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more) Documentation
Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92
Medium Insecure Configurations AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more) Documentation
Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98
Medium Insecure Configurations AWS Serverless Function should have associated tags (read more) Documentation
Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef
Medium Networking and Firewall AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more) Documentation
Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b
Medium Observability AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more) Documentation
Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315
Medium Observability AWS Serverless API should have X-Ray Tracing enabled (read more) Documentation
Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18
Low Insecure Configurations AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more) Documentation
Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79
Low Insecure Configurations AWS Serverless API should have cache clustering enabled (read more) Documentation
Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8
Low Observability AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more) Documentation