CloudFormation
CloudFormation Queries List¶
This page contains all queries from CloudFormation.
AWS¶
Bellow are listed queries related with CloudFormation AWS:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| S3 Bucket Allows Put Action From All Principals f6397a20-4cf1-4540-a997-1d363c25ef58 |
High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more) | Documentation |
| S3 Bucket ACL Allows Read to All Users 219f4c95-aa50-44e0-97de-cf71f4641170 |
High | Access Control | S3 Buckets should not be readable to all users (read more) | Documentation |
| ECS Service Admin Role Is Present 01986452-bdd8-4aaa-b5df-d6bf61d616ff |
High | Access Control | ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more) | Documentation |
| S3 Bucket Allows Delete Action From All Principals acc78859-765e-4011-a229-a65ea57db252 |
High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more) | Documentation |
| S3 Bucket Allows List Action From All Principals faa8fddf-c0aa-4b2d-84ff-e993e233ebe9 |
High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more) | Documentation |
| S3 Bucket Access to Any Principal 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085 |
High | Access Control | The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more) | Documentation |
| SNS Topic is Publicly Accessible ae53ce91-42b5-46bf-a84f-9a13366a4f13 |
High | Access Control | SNS Topic Policy should not allow any principal to access (read more) | Documentation |
| S3 Bucket With All Permissions 4ae8af91-5108-42cb-9471-3bdbe596eac9 |
High | Access Control | S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more) | Documentation |
| IAM Policy Grants Full Permissions f62aa827-4ade-4dc4-89e4-1433d384a368 |
High | Access Control | IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more) | Documentation |
| S3 Bucket ACL Allows Read Or Write to All Users 07dda8de-d90d-469e-9b37-1aca53526ced |
High | Access Control | S3 Buckets should not be readable and writable to all users (read more) | Documentation |
| MSK Broker Is Publicly Accessible 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab |
High | Access Control | Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more) | Documentation |
| Lambda Functions With Full Privileges a0ae0a4e-712b-4115-8112-51b9eeed9d69 |
High | Access Control | AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more) | Documentation |
| S3 Bucket Allows Restore Actions From All Principals 456b00a3-1072-4149-9740-6b8bb60251b0 |
High | Access Control | S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more) | Documentation |
| S3 Bucket Allows Public Policy 860ba89b-b8de-4e72-af54-d6aee4138a69 |
High | Access Control | S3 bucket allows public policy (read more) | Documentation |
| S3 Bucket Allows Get Action From All Principals f97b7d23-568f-4bcc-9ac9-02df0d57fbba |
High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more) | Documentation |
| IAM Policies With Full Privileges 953b3cdb-ce13-428a-aa12-318726506661 |
High | Access Control | IAM policies shouldn't allow full administrative privileges (for all resources) (read more) | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 835d5497-a526-4aea-a23f-98a9afd1635f |
High | Access Control | S3 Buckets should not be readable to any authenticated user (read more) | Documentation |
| Amazon DMS Replication Instance Is Publicly Accessible 5864fb39-d719-4182-80e2-89dbe627be63 |
High | Access Control | Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more) | Documentation |
| Cloudfront Viewer Protocol Policy Allows HTTP 31733ee2-fef0-4e87-9778-65da22a8ecf1 |
High | Encryption | Checks if the connection between CloudFront and the viewer is encrypted (read more) | Documentation |
| Connection Between CloudFront Origin Not Encrypted a5366a50-932f-4085-896b-41402714a388 |
High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted (read more) | Documentation |
| ECS Cluster Not Encrypted At Rest 6c131358-c54d-419b-9dd6-1f7dd41d180c |
High | Encryption | Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more) | Documentation |
| ElastiCache With Disabled at Rest Encryption e4ee3903-9225-4b6a-bdfb-e62dbadef821 |
High | Encryption | Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more) | Documentation |
| Redshift Not Encrypted 3b316b05-564c-44a7-9c3f-405bb95e211e |
High | Encryption | AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more) | Documentation |
| S3 Bucket Without SSL In Write Actions 38c64e76-c71e-4d92-a337-60174d1de1c9 |
High | Encryption | S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more) | Documentation |
| MSK Cluster Encryption Disabled a976d63f-af0e-46e8-b714-8c1a9c4bf768 |
High | Encryption | Ensure MSK Cluster encryption in rest and transit is enabled (read more) | Documentation |
| EFS Without KMS 6d087495-2a42-4735-abf7-02ef5660a7e6 |
High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more) | Documentation |
| S3 Bucket Without Server-side-encryption b2e8752c-3497-4255-98d2-e4ae5b46bbf5 |
High | Encryption | S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more) | Documentation |
| User Data Shell Script Is Encoded 48c3bc58-6959-4f27-b647-4fedeace23be |
High | Encryption | User Data Shell Script must be encoded (read more) | Documentation |
| ECS Task Definition Container With Plaintext Password f9b10cdb-eaab-4e39-9793-e12b94a582ad |
High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more) | Documentation |
| RDS Storage Not Encrypted 5beacce3-4020-4a3d-9e1d-a36f953df630 |
High | Encryption | RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more) | Documentation |
| ELB Using Insecure Protocols 61a94903-3cd3-4780-88ec-fc918819b9c8 |
High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more) | Documentation |
| ELB Using Weak Ciphers 809f77f8-d10e-4842-a84f-3be7b6ff1190 |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more) | Documentation |
| User Data Contains Encoded Private Key 568cc372-ca64-420d-9015-ee347d00d288 |
High | Encryption | User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more) | Documentation |
| Redshift Cluster Without KMS CMK de76a0d6-66d5-45c9-9022-f05545b85c78 |
High | Encryption | AWS Redshift Cluster should have KMS CMK defined (read more) | Documentation |
| ElastiCache With Disabled Transit Encryption 3b02569b-fc6f-4153-b3a3-ba91022fed68 |
High | Encryption | Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more) | Documentation |
| IAM Database Auth Not Enabled 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184 |
High | Encryption | IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more) | Documentation |
| ELB Without Secure Protocol 80908a75-586b-4c61-ab04-490f4f4525b8 |
High | Encryption | Check if the ELB is setup with SSL or HTTPS for secure communication (read more) | Documentation |
| SageMaker Data Encryption Disabled 709e6da6-fa1f-44cc-8f17-7f25f96dadbe |
High | Encryption | Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more) | Documentation |
| API Gateway Cache Encrypted Disabled 37cca703-b74c-48ba-ac81-595b53398e9b |
High | Encryption | 'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more) | Documentation |
| EFS Volume With Disabled Transit Encryption c1282e03-b285-4637-aee7-eefe3a7bb658 |
High | Encryption | Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more) | Documentation |
| Kinesis SSE Not Configured 7f65be75-90ab-4036-8c2a-410aef7bb650 |
High | Encryption | AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more) | Documentation |
| DynamoDB With Aws Owned CMK c8dee387-a2e6-4a73-a942-183c975549ac |
High | Encryption | AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more) | Documentation |
| S3 Bucket SSE Disabled 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61 |
High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more) | Documentation |
| CMK Unencrypted Storage ffee2785-c347-451e-89f3-11aeb08e5c84 |
High | Encryption | Ensure that storage is encrypted. (read more) | Documentation |
| EFS Not Encrypted 2ff8e83c-90e1-4d68-a300-6d652112e622 |
High | Encryption | Elastic File System (EFS) must be encrypted (read more) | Documentation |
| Secure Ciphers Disabled be96849c-3df6-49c2-bc16-778a7be2519c |
High | Encryption | Check if secure ciphers aren't used in CloudFront (read more) | Documentation |
| CloudFormation Specifying Credentials Not Safe 9ecb6b21-18bc-4aa7-bd07-db20f1c746db |
High | Encryption | Specifying credentials in the template itself is probably not safe to do. (read more) | Documentation |
| API Gateway Without Security Policy 8275fab0-68ec-4705-bbf4-86975edb170e |
High | Insecure Configurations | API Gateway should have a Security Policy defined and use TLS 1.2. (read more) | Documentation |
| KMS Key With Full Permissions da905474-7454-43c0-b8d2-5756ab951aba |
High | Insecure Configurations | The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more) | Documentation |
| DB Instance Publicly Accessible de38e1d5-54cb-4111-a868-6f7722695007 |
High | Insecure Configurations | RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more) | Documentation |
| Batch Job Definition With Privileged Container Properties 76ddf32c-85b1-4808-8935-7eef8030ab36 |
High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties (read more) | Documentation |
| Redshift Publicly Accessible bdf8dcb4-75df-4370-92c4-606e4ae6c4d3 |
High | Insecure Configurations | AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more) | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 dc17ee4b-ddf2-4e23-96e8-7a36abad1303 |
High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 (read more) | Documentation |
| Root Account Has Active Access Keys 4c137350-7307-4803-8c04-17c09a7a9fcf |
High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more) | Documentation |
| S3 Bucket With Unsecured CORS Rule 3609d27c-3698-483a-9402-13af6ae80583 |
High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more) | Documentation |
| S3 Static Website Host Enabled 90501b1b-cded-4cc1-9e8b-206b85cda317 |
High | Insecure Configurations | Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more) | Documentation |
| S3 Bucket Without Restriction Of Public Bucket 350cd468-0e2c-44ef-9d22-cfb73a62523c |
High | Insecure Configurations | S3 bucket without restriction of public bucket (read more) | Documentation |
| ECS Task Definition Network Mode Not Recommended 027a4b7a-8a59-4938-a04f-ed532512cf45 |
High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more) | Documentation |
| Permissive Web ACL Default Action 6d64f311-3da6-45f3-80f1-14db9771ea40 |
High | Insecure Defaults | WebAcl DefaultAction should not be ALLOW (read more) | Documentation |
| Vulnerable Default SSL Certificate b4d9c12b-bfba-4aeb-9cb8-2358546d8041 |
High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more) | Documentation |
| Security Groups Allows Unrestricted Outbound Traffic 66f2d8f9-a911-4ced-ae27-34f09690bb2c |
High | Networking and Firewall | No security group should allow unrestricted egress access (read more) | Documentation |
| Unknown Port Exposed To Internet 829ce3b8-065c-41a3-ad57-e0accfea82d2 |
High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet (read more) | Documentation |
| Unrestricted Security Group Ingress 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14 |
High | Networking and Firewall | AWS Security Group Ingress CIDR should not be open to the world (read more) | Documentation |
| ELB Sensitive Port Is Exposed To Entire Network 78055456-f670-4d2e-94d5-392d1cf4f5e4 |
High | Networking and Firewall | The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more) | Documentation |
| RDS Associated with Public Subnet 4e88adee-a8eb-4605-a78d-9fb1096e3091 |
High | Networking and Firewall | RDS should not run in public subnet (read more) | Documentation |
| Route53 Record Undefined 24d932e1-91f0-46ea-836f-fdbd81694151 |
High | Networking and Firewall | Route53 HostedZone must have the Record Set defined. (read more) | Documentation |
| Default Security Groups With Unrestricted Traffic ea33fcf7-394b-4d11-a228-985c5d08f205 |
High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. (read more) | Documentation |
| EKS node group remote access 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3 |
High | Networking and Firewall | Ensure Amazon EKS Node group has implict SSH access (read more) | Documentation |
| EC2 Public Instance Exposed Through Subnet c44c95fc-ae92-4bb8-bdf8-bb9bc412004a |
High | Networking and Firewall | EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more) | Documentation |
| Elasticsearch with HTTPS disabled 4cdc88e6-c0c8-4081-a639-bb3a557cbedf |
High | Networking and Firewall | Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more) | Documentation |
| DB Security Group With Public Scope 9564406d-e761-4e61-b8d7-5926e3ab8e79 |
High | Networking and Firewall | The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more) | Documentation |
| Security Group With Unrestricted Access To SSH 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 |
High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Security Group (read more) | Documentation |
| Fully Open Ingress e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5 |
High | Networking and Firewall | ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more) | Documentation |
| Security Groups With Exposed Admin Ports cdbb0467-2957-4a77-9992-7b55b29df7b7 |
High | Networking and Firewall | Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more) | Documentation |
| DB Security Group Open To Large Scope 0104165b-02d5-426f-abc9-91fb48189899 |
High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. (read more) | Documentation |
| SageMaker Notebook Not Placed In VPC 9c7028d9-04c2-45be-b8b2-1188ccaefb36 |
High | Networking and Firewall | SageMaker Notebook must be placed in a VPC (read more) | Documentation |
| HTTP Port Open To Internet ddfc4eaa-af23-409f-b96c-bf5c45dc4daa |
High | Networking and Firewall | The HTTP port is open to the internet in a Security Group (read more) | Documentation |
| EC2 Instance Subnet Has Public IP Mapping On Launch b3de4e4c-14be-4159-b99d-9ad194365e4c |
High | Networking and Firewall | EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more) | Documentation |
| Remote Desktop Port Open To Internet c9846969-d066-431f-9b34-8c4abafe422a |
High | Networking and Firewall | The Remote Desktop port is open to the internet in a Security Group (read more) | Documentation |
| Security Group Unrestricted Access To RDP 3ae83918-7ec7-4cb8-80db-b91ef0f94002 |
High | Networking and Firewall | Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more) | Documentation |
| EC2 Sensitive Port Is Publicly Exposed 494b03d3-bf40-4464-8524-7c56ad0700ed |
High | Networking and Firewall | The EC2 instance has a sensitive port connection exposed to the entire network (read more) | Documentation |
| Security Groups With Meta IP adcd0082-e90b-4b63-862b-21899f6e6a48 |
High | Networking and Firewall | Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more) | Documentation |
| ALB Listening on HTTP 275a3217-ca37-40c1-a6cf-bb57d245ab32 |
High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP (read more) | Documentation |
| EC2 Network ACL Overlapping Ports 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576 |
High | Networking and Firewall | NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more) | Documentation |
| CMK Rotation Disabled 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5 |
High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more) | Documentation |
| CloudTrail Logging Disabled 5c0b06d5-b7a4-484c-aeb0-75a836269ff0 |
High | Observability | Checks if logging is enabled for CloudTrail. (read more) | Documentation |
| S3 Bucket CloudTrail Logging Disabled c3ce69fd-e3df-49c6-be78-1db3f802261c |
High | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more) | Documentation |
| EC2 Network ACL Ineffective Denied Traffic 2623d682-dccb-44cd-99d0-54d9fd62f8f2 |
Medium | Access Control | Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more) | Documentation |
| KMS Allows Wildcard Principal f6049677-ec4a-43af-8779-5190b6d03cba |
Medium | Access Control | KMS Should not allow Principal parameter to be set as * (read more) | Documentation |
| IAM Policies Attached To User edc95c10-7366-4f30-9b4b-f995c84eceb5 |
Medium | Access Control | IAM policies should be attached only to groups or roles (read more) | Documentation |
| SNS Topic Publicity Has Allow and NotAction Simultaneously 818f38ed-8446-4132-9c03-474d49e10195 |
Medium | Access Control | SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more) | Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7 |
Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more) | Documentation |
| SQS Queue Policy Allows NotPrincipal 4a8fc9a2-2b2f-4b3f-aa8d-401425872034 |
Medium | Access Control | Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using NotPrincipal in the same policy statement as "Effect": "Allow". (read more) |
Documentation |
| EC2 Instance Has No IAM Role f914357d-8386-4d56-9ba6-456e5723f9a6 |
Medium | Access Control | Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more) | Documentation |
| Lambda Permission Principal Is Wildcard 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7 |
Medium | Access Control | Lambda Permission Principal should not contain a wildcard. (read more) | Documentation |
| Neptune Cluster With IAM Database Authentication Disabled a3aa0087-8228-4e7e-b202-dc9036972d02 |
Medium | Access Control | Neptune Cluster should have IAM Database Authentication enabled (read more) | Documentation |
| IAM Policy On User e4239438-e639-44aa-adb8-866e400e3ade |
Medium | Access Control | IAM policies should be applied to groups and not to users (read more) | Documentation |
| IoT Policy Allows Action as Wildcard 4d32780f-43a4-424a-a06d-943c543576a5 |
Medium | Access Control | IoT Policy should not allow Action to be set as * (read more) | Documentation |
| API Gateway Method Does Not Contains An API Key 3641d5b4-d339-4bc2-bfb9-208fe8d3477f |
Medium | Access Control | An API Key should be required on a method request. (read more) | Documentation |
| IoT Policy Allows Wildcard Resource be5b230d-4371-4a28-a441-85dc760e2aa3 |
Medium | Access Control | IoT Policy should not allow Resource to be set as * (read more) | Documentation |
| SQS Queue Policy Allows NotAction 4fbfee74-8186-40d5-a24e-4baa76a855de |
Medium | Access Control | AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more) | Documentation |
| Empty Roles For ECS Cluster Task Definitions 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb |
Medium | Access Control | Check if any ECS cluster has not defined proper roles for services' task definitions. (read more) | Documentation |
| Public Lambda via API Gateway 57b12981-3816-4c31-b190-a1e614361dd2 |
Medium | Access Control | Allowing to run lambda function using public API Gateway (read more) | Documentation |
| API Gateway Without Configured Authorizer 7fd0d461-5b8c-4815-898c-f2b4b117eb28 |
Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer (read more) | Documentation |
| S3 Bucket Allows Public ACL 48f100d9-f499-4c6d-b2b8-deafe47ffb26 |
Medium | Access Control | S3 bucket allows public ACL (read more) | Documentation |
| Elasticsearch Without IAM Authentication 5c666ed9-b586-49ab-9873-c495a833b705 |
Medium | Access Control | AWS Elasticsearch should ensure IAM Authentication (read more) | Documentation |
| ECR Repository Is Publicly Accessible 75be209d-1948-41f6-a8c8-e22dd0121134 |
Medium | Access Control | Amazon ECR image repositories shouldn't have public access (read more) | Documentation |
| SQS Policy With Public Access 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d |
Medium | Access Control | Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more) | Documentation |
| EBS Volume Not Attached To Instances 1819ac03-542b-4026-976b-f37addd59f3b |
Medium | Availability | EBS Volumes that are unattached to instances may contain sensitive data (read more) | Documentation |
| Auto Scaling Group With No Associated ELB ad21e616-5026-4b9d-990d-5b007bfe679c |
Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more) | Documentation |
| ElastiCache Nodes Not Created Across Multi AZ cfdef2e5-1fe4-4ef4-bea8-c56e08963150 |
Medium | Availability | ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more) | Documentation |
| CMK Is Unusable 2844c749-bd78-4cd1-90e8-b179df827602 |
Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more) | Documentation |
| ECS Service Without Running Tasks 79d745f0-d5f3-46db-9504-bef73e9fd528 |
Medium | Availability | ECS Service should have at least 1 task running (read more) | Documentation |
| Stack Retention Disabled fe974ae9-858e-4991-bbd5-e040a834679f |
Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more) | Documentation |
| Low RDS Backup Retention Period e649a218-d099-4550-86a4-1231e1fcb60d |
Medium | Backup | AWS RDS backup retention policy should be at least 7 days (read more) | Documentation |
| RDS Multi-AZ Deployment Disabled 2b1d4935-9acf-48a7-8466-10d18bf51a69 |
Medium | Backup | AWS RDS Instance should have a multi-az deployment (read more) | Documentation |
| RDS With Backup Disabled 8c415f6f-7b90-4a27-a44a-51047e1506f9 |
Medium | Backup | Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more) | Documentation |
| Cognito UserPool Without MFA 74a18d1a-cf02-4a31-8791-ed0967ad7fdc |
Medium | Best Practices | AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more) | Documentation |
| IAM Password Without Minimum Length b1b20ae3-8fa7-4af5-a74d-a2145920fcb1 |
Medium | Best Practices | IAM password should have the required minimum length (read more) | Documentation |
| ECS No Load Balancer Attached fb2b0ecf-1492-491a-a70d-ba1df579175d |
Medium | Best Practices | Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more) | Documentation |
| IAM Managed Policy Applied to a User 0e5872b4-19a0-4165-8b2f-56d9e14b909f |
Medium | Best Practices | Make sure that any managed IAM policies are implemented in a group and not in a user. (read more) | Documentation |
| IAM Password Without Symbol d72a7869-e8b9-4e12-bcd2-e8be10b39fa7 |
Medium | Best Practices | IAM password should have the required symbols (read more) | Documentation |
| IAM Password Without Number 839f238f-2e3a-4a72-b945-8abdf91af955 |
Medium | Best Practices | IAM user resource Login Profile Password should have at least one number (read more) | Documentation |
| IAM Password Without Uppercase Letter 445020f6-b69e-4484-847f-02d4b7768902 |
Medium | Best Practices | IAM password should have at least one uppercase letter (read more) | Documentation |
| IAM Password Without Lowercase Letter f4cf35d6-da92-48de-ab70-57be2b2e6497 |
Medium | Best Practices | IAM Password should have at least one lowercase letter (read more) | Documentation |
| IAM User Without Password Reset a964d6e3-8e1e-4d93-8120-61fa640dd55a |
Medium | Best Practices | IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more) | Documentation |
| IAM Group Inline Policies a58d1a2d-4078-4b80-855b-84cc3f7f4540 |
Medium | Encryption | IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more) | Documentation |
| AmazonMQ Broker Encryption Disabled 316278b3-87ac-444c-8f8f-a733a28da60f |
Medium | Encryption | AmazonMQ Broker should have Encryption Options defined (read more) | Documentation |
| ElasticSearch Encryption With KMS Disabled d926aa95-0a04-4abc-b20c-acf54afe38a1 |
Medium | Encryption | Check if any ElasticSearch domain isn't encrypted with KMS. (read more) | Documentation |
| Unscanned ECR Image 9025b2b3-e554-4842-ba87-db7aeec36d35 |
Medium | Encryption | Checks if the ECR Image has been scanned (read more) | Documentation |
| SageMaker EndPoint Config Should Specify KmsKeyId Attribute 44034eda-1c3f-486a-831d-e09a7dd94354 |
Medium | Encryption | KmsKeyId attribute should be defined (read more) | Documentation |
| RDS Storage Encryption Disabled 65844ba3-03a1-40a8-b3dd-919f122e8c95 |
Medium | Encryption | RDS DBCluster should have storage encrypted set to true (read more) | Documentation |
| Default KMS Key Usage e52395b4-250b-4c60-81d5-2e58c1d37abc |
Medium | Encryption | When StorageEncrypted is set to true, KmsKeyId should be defined, to avoid the use of the default KMS Key (read more) |
Documentation |
| CloudTrail Log Files Not Encrypted With KMS 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85 |
Medium | Encryption | Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more) | Documentation |
| ElasticSearch Not Encrypted At Rest 86a248ab-0e01-4564-a82a-878303e253bb |
Medium | Encryption | Check if ElasticSearch encryption is disabled at Rest (read more) | Documentation |
| CodeBuild Not Encrypted d7467bb6-3ed1-4c82-8095-5e7a818d0aad |
Medium | Encryption | CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more) | Documentation |
| Memcached Disabled dd0971a6-09c3-4168-8474-a7ef8fbfd99d |
Medium | Encryption | Check if the Memcached is disabled on the ElastiCache (read more) | Documentation |
| Alexa Skill Plaintext Client Secret Exposed 3c3b7a58-b018-4d07-9444-d9ee7156e111 |
Medium | Encryption | Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more) | Documentation |
| Config Rule For Encrypted Volumes Disabled 1b6322d9-c755-4f8c-b804-32c19250f2d9 |
Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. (read more) | Documentation |
| KMS Key Rotation Disabled 235ca980-eb71-48f4-9030-df0c371029eb |
Medium | Encryption | EnableKeyRotation should not be false or undefined (read more) | Documentation |
| Neptune Database Cluster Encryption Disabled bf4473f1-c8a2-4b1b-8134-bd32efabab93 |
Medium | Encryption | Neptune database cluster storage should have encryption enabled (read more) | Documentation |
| EMR Security Configuration Encryption Disabled 5b033ec8-f079-4323-b5c8-99d4620433a9 |
Medium | Encryption | EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more) | Documentation |
| DynamoDB Table Not Encrypted 4bd21e68-38c1-4d58-acdc-6a14b203237f |
Medium | Encryption | AWS DynamoDB Tables should have server-side encryption (read more) | Documentation |
| SQS With SSE Disabled 12726829-93ed-4d51-9cbe-13423f4299e1 |
Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more) | Documentation |
| EBS Volume Encryption Disabled 80b7ac3f-d2b7-4577-9b10-df7913497162 |
Medium | Encryption | EBS volumes should be encrypted (read more) | Documentation |
| API Gateway With Invalid Compression d6653eee-2d4d-4e6a-976f-6794a497999a |
Medium | Encryption | API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more) | Documentation |
| Workspace Without Encryption 89827c57-5a8a-49eb-9731-976a606d70db |
Medium | Encryption | Workspaces should have encryption enabled (read more) | Documentation |
| GitHub Repository Set To Public 5906092d-5f74-490d-9a03-78febe0f65e1 |
Medium | Insecure Configurations | Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more) | Documentation |
| EMR Cluster Without Security Configuration 48af92a5-c89b-4936-bc62-1086fe2bab23 |
Medium | Insecure Configurations | EMR Cluster should have security configuration defined. (read more) | Documentation |
| SageMaker Enabling Internet Access 88d55d94-315d-4564-beee-d2d725feab11 |
Medium | Insecure Configurations | SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more) | Documentation |
| API Gateway With Open Access 1056dfbb-5802-4762-bf2b-8b9b9684b1b0 |
Medium | Insecure Configurations | API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more) | Documentation |
| IAM User Has Too Many Access Keys 48677914-6fdf-40ec-80c4-2b0e94079f54 |
Medium | Insecure Configurations | Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more) | Documentation |
| Lambda Functions Without Unique IAM Roles ae03f542-1423-402f-9cef-c834e7ee9583 |
Medium | Insecure Configurations | AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more) | Documentation |
| IAM User LoginProfile Password Is In Plaintext 06adef8c-c284-4de7-aad2-af43b07a8ca1 |
Medium | Insecure Configurations | IAM User LoginProfile Password must not be a plaintext string (read more) | Documentation |
| ECR Image Tag Not Immutable 33f41d31-86b1-46a4-81f7-9c9a671f59ac |
Medium | Insecure Configurations | ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more) | Documentation |
| API Gateway Without SSL Certificate ed4c48b8-eccc-4881-95c1-09fdae23db25 |
Medium | Insecure Configurations | SSL Client Certificate should be enabled (read more) | Documentation |
| Instance With No VPC 8a6d36cd-0bc6-42b7-92c4-67acc8576861 |
Medium | Insecure Configurations | EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more) | Documentation |
| MQ Broker Is Publicly Accessible 68b6a789-82f8-4cfd-85de-e95332fe6a61 |
Medium | Insecure Configurations | Check if any MQ Broker is not publicly accessible (read more) | Documentation |
| Inline Policies Are Attached To ECS Service 9e8c89b3-7997-4d15-93e4-7911b9db99fd |
Medium | Insecure Configurations | Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more) | Documentation |
| Lambda Function Without Tags 8df8e857-bd59-44fa-9f4c-d77594b95b46 |
Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. (read more) | Documentation |
| RouterTable with Default Routing 4f0908b9-eb66-433f-9145-134274e1e944 |
Medium | Insecure Defaults | NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more) | Documentation |
| S3 Bucket Should Have Bucket Policy 37fa8188-738b-42c8-bf82-6334ea567738 |
Medium | Insecure Defaults | Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more) | Documentation |
| ELB With Security Group Without Inbound Rules e200a6f3-c589-49ec-9143-7421d4a2c845 |
Medium | Networking and Firewall | An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more) | Documentation |
| Security Group Ingress With Port Range 87482183-a8e7-4e42-a566-7a23ec231c16 |
Medium | Networking and Firewall | AWS Security Group Ingress should have a single port (read more) | Documentation |
| API Gateway Endpoint Config is Not Private 4a8daf95-709d-4a36-9132-d3e19878fa34 |
Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more) | Documentation |
| VPC Without Network Firewall 3e293410-d5b8-411f-85fd-7d26294f20c9 |
Medium | Networking and Firewall | VPC should have a Network Firewall associated (read more) | Documentation |
| Security Group Egress With Port Range dae9c373-8287-462f-8746-6f93dad93610 |
Medium | Networking and Firewall | AWS Security Group Egress should have a single port (read more) | Documentation |
| API Gateway without WAF fcbf9019-566c-4832-a65c-af00d8137d2b |
Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled (read more) | Documentation |
| ELB With Security Group Without Outbound Rules 01d5a458-a6c4-452a-ac50-054d59275b7c |
Medium | Networking and Firewall | An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more) | Documentation |
| Security Groups Without VPC Attached 493d9591-6249-47bf-8dc0-5c10161cc558 |
Medium | Networking and Firewall | Security Groups must have a VPC. (read more) | Documentation |
| TCP/UDP Protocol Network ACL Entry Allows All Ports f57f849c-883b-4cb7-85e7-f7b199dff163 |
Medium | Networking and Firewall | TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more) | Documentation |
| Security Group Egress CIDR Open To World 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a |
Medium | Networking and Firewall | AWS Security Group Egress CIDR should not be open to the world (read more) | Documentation |
| EC2 Permissive Network ACL Protocols 03879981-efa2-47a0-a818-c843e1441b88 |
Medium | Networking and Firewall | To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more) | Documentation |
| ALB Is Not Integrated With WAF 105ba098-1e34-48cd-b0f2-a8a43a51bf9b |
Medium | Networking and Firewall | All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more) | Documentation |
| Security Group Egress With All Protocols ee464fc2-54a6-4e22-b10a-c6dcd2474d0c |
Medium | Networking and Firewall | AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more) | Documentation |
| GameLift Fleet EC2 InboundPermissions With Port Range 43356255-495d-4148-ad8d-f6af5eac09dd |
Medium | Networking and Firewall | AWS GameLift Fleet EC2InboundPermissions should have a single port (read more) | Documentation |
| Security Group Ingress With All Protocols 1a427b25-2e9e-4298-9530-0499a55e736b |
Medium | Networking and Firewall | AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more) | Documentation |
| Configuration Aggregator to All Regions Disabled 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d |
Medium | Observability | AWS Config Configuration Aggregator All Regions must be set to True (read more) | Documentation |
| ElasticSearch Without Slow Logs 086ea2eb-14a6-4fd4-914b-38e0bc8703e8 |
Medium | Observability | Ensure that AWS Elasticsearch enables support for slow logs (read more) | Documentation |
| Stack Notifications Disabled 837e033c-4717-40bd-807e-6abaa30161b7 |
Medium | Observability | AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more) | Documentation |
| API Gateway Stage Access Logging Settings Not Defined 80d45af4-4920-4236-a56e-b7ef419d1941 |
Medium | Observability | API Gateway Stage should have Access Logging Settings defined (read more) | Documentation |
| API Gateway Deployment Without Access Log Setting 06ec63e3-9f72-4fe2-a218-2eb9200b8db5 |
Medium | Observability | API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more) | Documentation |
| CloudFront Logging Disabled de77cd9f-0e8b-46cc-b4a4-b6b436838642 |
Medium | Observability | AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more) | Documentation |
| MSK Cluster Logging Disabled fc7c2c15-f5d0-4b80-adb2-c89019f8f62b |
Medium | Observability | Ensure MSK Cluster Logging is enabled (read more) | Documentation |
| ELB Access Log Disabled ee12ad32-2863-4c0f-b13f-28272d115028 |
Medium | Observability | ELB should have access log enabled (read more) | Documentation |
| GuardDuty Detector Disabled a25cd877-375c-4121-a640-730929936fac |
Medium | Observability | Make sure that Amazon GuardDuty is Enabled (read more) | Documentation |
| S3 Bucket Logging Disabled 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c |
Medium | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more) | Documentation |
| CloudTrail Multi Region Disabled 058ac855-989f-4378-ba4d-52d004020da7 |
Medium | Observability | CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more) | Documentation |
| CloudWatch Logging Disabled 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0 |
Medium | Observability | Check if CloudWatch logging is disabled for Route53 hosted zones (read more) | Documentation |
| CloudWatch Metrics Disabled 5d3c1807-acb3-4bb0-be4e-0440230feeaf |
Medium | Observability | Checks if CloudWatch Metrics is Enabled (read more) | Documentation |
| ELBv2 ALB Access Log Disabled c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621 |
Medium | Observability | ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more) | Documentation |
| S3 Bucket Without Versioning a227ec01-f97a-4084-91a4-47b350c1db54 |
Medium | Observability | S3 bucket should have versioning enabled (read more) | Documentation |
| CloudTrail Not Integrated With CloudWatch 65d07da5-9af5-44df-8983-52d2e6f24c44 |
Medium | Observability | CloudTrail should be integrated with CloudWatch (read more) | Documentation |
| Redshift Cluster Logging Disabled 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6 |
Medium | Observability | Make sure Logging is enabled for Redshift Cluster (read more) | Documentation |
| Elasticsearch Logs Disabled edbd62d4-8700-41de-b000-b3cfebb5e996 |
Medium | Observability | AWS Elasticsearch should have logs enabled (read more) | Documentation |
| API Gateway X-Ray Disabled 4ab10c48-bedb-4deb-8f3b-ff12783b61de |
Medium | Observability | API Gateway should have X-Ray Tracing enabled (read more) | Documentation |
| CloudTrail SNS Topic Name Undefined 3e09413f-471e-40f3-8626-990c79ae63f3 |
Medium | Observability | Check if SNS topic name is set for CloudTrail (read more) | Documentation |
| MQ Broker Logging Disabled e519ed6a-8328-4b69-8eb7-8fa549ac3050 |
Medium | Observability | Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more) | Documentation |
| Amplify App OAuth Token Exposed 03b38885-8f4e-480c-a0e4-12c1affd15db |
Medium | Secret Management | Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) | Documentation |
| SNS Topic Without KmsMasterKeyId 9d13b150-a2ab-42a1-b6f4-142e41f81e52 |
Medium | Secret Management | KmsMasterKeyId attribute should not be undefined (read more) | Documentation |
| DMS Endpoint MongoDB Settings Password Exposed f988a17f-1139-46a3-8928-f27eafd8b024 |
Medium | Secret Management | DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) | Documentation |
| Hardcoded AWS Access Key In Lambda 2564172f-c92b-4261-9acd-464aed511696 |
Medium | Secret Management | Lambda access/secret keys should not be hardcoded (read more) | Documentation |
| RefreshToken Is Exposed 5b48c507-0d1f-41b0-a630-76817c6b4189 |
Medium | Secret Management | Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more) | Documentation |
| Amplify Branch Basic Auth Config Password Exposed dfb56e5d-ee68-446e-b32a-657b62befe69 |
Medium | Secret Management | Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) | Documentation |
| Amplify App Basic Auth Config Password Exposed 71493c8b-3014-404c-9802-078b74496fb7 |
Medium | Secret Management | Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) | Documentation |
| DMS Endpoint Password Exposed 5f700072-b7ce-4e84-b3f3-497bf1c24a4d |
Medium | Secret Management | DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) | Documentation |
| Secrets Manager Should Specify KmsKeyId c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22 |
Medium | Secret Management | Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more) | Documentation |
| Directory Service Simple AD Password Exposed 6685d912-d81f-4cfa-95ad-e316ea31c989 |
Medium | Secret Management | DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) | Documentation |
| Amplify App Access Token Exposed 73980e43-f399-4fcc-a373-658228f7adf7 |
Medium | Secret Management | Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more) | Documentation |
| Directory Service Microsoft AD Password Set to Plaintext or Default Ref 06b9f52a-8cd5-459b-bdc6-21a22521e1be |
Medium | Secret Management | Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more) | Documentation |
| EBS Volume Without KmsKeyId b7063015-6c31-4658-a8e7-14f98f37fd42 |
Medium | Secret Management | EBS Volume should specify a KmsKeyId value (read more) | Documentation |
| DocDB Cluster Master Password In Plaintext 39423ce4-9011-46cd-b6b1-009edcd9385d |
Medium | Secret Management | DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more) | Documentation |
| High Access Key Rotation Period 800fa019-49dd-421b-9042-7331fdd83fa2 |
Medium | Secret Management | ConfigRule should enforce access keys to be rotated within 90 days. (read more) | Documentation |
| Support Has No Role Associated d71b5fd7-9020-4b2d-9ec8-b3839faa2744 |
Low | Access Control | Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more) | Documentation |
| EC2 Instance Using Default Security Group 08b81bb3-0985-4023-8602-b606ad81d279 |
Low | Access Control | EC2 instances should not use default security group(s) (read more) | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services e835bd0d-65da-49f7-b6d1-b646da8727e6 |
Low | Access Control | IAM Policy should not grant 'AssumeRole' permission across all services. (read more) | Documentation |
| IAM Group Without Users 8f957abd-9703-413d-87d3-c578950a753c |
Low | Access Control | IAM Group should have at least one user associated (read more) | Documentation |
| IAM User With No Group 06933df4-0ea7-461c-b9b5-104d27390e0e |
Low | Access Control | A IAM user should belong to a group (read more) | Documentation |
| IAM Role Allows All Principals To Assume f80e3aa7-7b34-4185-954e-440a6894dde6 |
Low | Access Control | IAM role allows all services or principals to assume it (read more) | Documentation |
| VPC Attached With Too Many Gateways 97e94d17-e2c7-4109-a53b-6536ac1bb64e |
Low | Availability | The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more) | Documentation |
| RDS DB Instance With Deletion Protection Disabled 2c161e58-cb52-454f-abea-6470c37b5e6e |
Low | Backup | RDS DBInstance should have deletion protection set to true (read more) | Documentation |
| Lambda Permission Misconfigured 9b83114b-b2a1-4534-990d-06da015e47aa |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more) | Documentation |
| Geo Restriction Disabled 7f8843f0-9ea5-42b4-a02b-753055113195 |
Low | Best Practices | Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more) | Documentation |
| CDN Configuration Is Missing e4f54ff4-d352-40e8-a096-5141073c37a2 |
Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more) | Documentation |
| Automatic Minor Upgrades Disabled f0104061-8bfc-4b45-8a7d-630eb502f281 |
Low | Best Practices | RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more) | Documentation |
| IAM Access Analyzer Not Enabled 8d29754a-2a18-460d-a1ba-9509f8d359da |
Low | Best Practices | IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more) | Documentation |
| Security Group Ingress Has CIDR Not Recommended a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd |
Low | Best Practices | AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more) | Documentation |
| IAM Policies Without Groups 5e7acff5-095b-40ac-9073-ac2e4ad8a512 |
Low | Best Practices | IAM policy should not apply directly to users, should be with a group (read more) | Documentation |
| EFS Without Tags 08e39832-5e42-4304-98a0-aa5b43393162 |
Low | Build Process | Amazon Elastic Filesystem should have filesystem tags associated (read more) | Documentation |
| DynamoDB With Not Recommented Table Billing Mode c333e906-8d8b-4275-b999-78b6318f8dc6 |
Low | Build Process | Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more) | Documentation |
| API Gateway Cache Cluster Disabled 52790cad-d60d-41d5-8483-146f9f21208d |
Low | Insecure Configurations | AWS API Gateway should have cache clustering enabled (read more) | Documentation |
| Lambda Function Without Dead Letter Queue c2eae442-d3ba-4cb1-84ca-1db4f80eae3d |
Low | Insecure Configurations | AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more) | Documentation |
| Wildcard In ACM Certificate Domain Name cc8b294f-006f-4f8f-b5bb-0a9140c33131 |
Low | Insecure Configurations | ACM Certificate should not use wildcards (*) in the domain name (read more) | Documentation |
| S3 Bucket Without Ignore Public ACL 6c8d51af-218d-4bfb-94a9-94eabaa0703a |
Low | Insecure Configurations | S3 bucket without ignore public ACL (read more) | Documentation |
| Redshift Using Default Port a478af30-8c3a-404d-aa64-0b673cee509a |
Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port (read more) | Documentation |
| RDS Using Default Port 1fe9d958-ddce-4228-a124-05265a959a8b |
Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more) | Documentation |
| EC2 Network ACL Duplicate Rule 045ddb54-cfc5-4abb-9e05-e427b2bc96fe |
Low | Networking and Firewall | A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more) | Documentation |
| Shield Advanced Not In Use ad7444cf-817a-4765-a79e-2145f7981faf |
Low | Networking and Firewall | AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more) | Documentation |
| CloudFront Without WAF 0f139403-303f-467c-96bd-e717e6cfd62d |
Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more) | Documentation |
| EMR Without VPC bf89373a-be40-4c04-99f5-746742dfd7f3 |
Low | Networking and Firewall | Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more) | Documentation |
| EC2 Instance Using Default VPC e42a3ef0-5325-4667-84bf-075ba1c9d58e |
Low | Networking and Firewall | EC2 Instances should not be configured under a default VPC network (read more) | Documentation |
| ElastiCache Using Default Port 323db967-c68e-44e6-916c-a777f95af34b |
Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more) | Documentation |
| ElastiCache Without VPC ba766c53-fe71-4bbb-be35-b6803f2ef13e |
Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more) | Documentation |
| ECS Task Definition HealthCheck Missing d24389b4-b209-4ff0-8345-dc7a4569dcdd |
Low | Observability | Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more) | Documentation |
| Lambda Functions Without X-Ray Tracing 9488c451-074e-4cd3-aee3-7db6104f542c |
Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more) | Documentation |
| VPC FlowLogs Disabled f6d299d2-21eb-41cc-b1e1-fe12d857500b |
Low | Observability | Every VPC resource should have an associated Flow Log (read more) | Documentation |
| CloudTrail Log File Validation Disabled 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8 |
Low | Observability | CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more) | Documentation |
| API Gateway Deployment Without API Gateway UsagePlan Associated 783860a3-6dca-4c8b-81d0-7b62769ccbca |
Low | Observability | API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more) | Documentation |
| VPC Without Attached Subnet 3b3b4411-ad1f-40e7-b257-a78a6bb9673a |
Low | Resource Management | VPCs without attached subnets may indicate that they are not being used (read more) | Documentation |
| API Gateway Stage Without API Gateway UsagePlan Associated 7f8f1b60-43df-4c28-aa21-fb836dbd8071 |
Low | Resource Management | API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more) | Documentation |
| SDB Domain Declared As A Resource 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d |
Low | Resource Management | SimpleDB Domain resource should not be declared (read more) | Documentation |
| ECS Task Definition Invalid CPU or Memory f4c9b5f5-68b8-491f-9e48-4f96644a1d51 |
Low | Resource Management | In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more) | Documentation |
| EC2 Not EBS Optimized 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40 |
Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more) | Documentation |
| Security Group Rule Without Description 5e6c9c68-8a82-408e-8749-ddad78cbb9c5 |
Info | Best Practices | It's considered a best practice for AWS Security Group to have a description (read more) | Documentation |
| EC2 Instance Monitoring Disabled 0264093f-6791-4475-af34-4b8102dcbcd0 |
Info | Observability | EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more) | Documentation |
AWS_BOM¶
Bellow are listed queries related with CloudFormation AWS_BOM:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| BOM - AWS Cassandra 124b173b-e06d-48a6-8acd-f889443d97a4 |
Trace | Bill Of Materials | A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more) | Documentation |
| BOM - AWS MSK 2730c169-51d7-4ae7-99b5-584379eff1bb |
Trace | Bill Of Materials | A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more) | Documentation |
| BOM - AWS Elasticache c689f51b-9203-43b3-9d8b-caed123f706c |
Trace | Bill Of Materials | A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more) | Documentation |
| BOM - AWS EBS 0b0556ea-9cd9-476f-862e-20679dda752b |
Trace | Bill Of Materials | A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more) | Documentation |
| BOM - AWS MQ 209189f3-c879-48a7-9703-fbcfa96d0cef |
Trace | Bill Of Materials | A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more) | Documentation |
| BOM - AWS DynamoDB 4e67c0ae-38a0-47f4-a50c-f0c9b75826df |
Trace | Bill Of Materials | A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more) | Documentation |
| BOM - AWS Kinesis d53323be-dde6-4457-9a43-42df737e71d2 |
Trace | Bill Of Materials | A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more) | Documentation |
| BOM - AWS EFS ef05a925-8568-4054-8ff1-f5ba82631c16 |
Trace | Bill Of Materials | A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more) | Documentation |
| BOM - AWS SNS 42e7dca3-8cce-4325-8df0-108888259136 |
Trace | Bill Of Materials | A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more) | Documentation |
| BOM - AWS RDS 6ef03ff6-a2bd-483c-851f-631f248bc0ea |
Trace | Bill Of Materials | A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more) | Documentation |
| BOM - AWS SQS 59a849c2-1127-4023-85a5-ef906dcd458c |
Trace | Bill Of Materials | A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more) | Documentation |
| BOM - AWS S3 Buckets b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83 |
Trace | Bill Of Materials | A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more) | Documentation |
AWS_SAM¶
Bellow are listed queries related with CloudFormation AWS_SAM:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Serverless Function Environment Variables Not Encrypted a7f8ac28-eed1-483d-87c8-4c325f022572 |
High | Encryption | AWS Serverless Function should encrypt environment variables (read more) | Documentation |
| Serverless API Without Content Encoding a2f2800e-614b-4bc8-89e6-fec8afd24800 |
Medium | Encryption | AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more) | Documentation |
| Serverless Function Without Unique IAM Role 4ba74f01-aba5-4be2-83bc-be79ff1a3b92 |
Medium | Insecure Configurations | AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more) | Documentation |
| Serverless Function Without Tags a71ecabe-03b6-456a-b3bc-d1a39aa20c98 |
Medium | Insecure Configurations | AWS Serverless Function should have associated tags (read more) | Documentation |
| Serverless API Endpoint Config Not Private 6b5b0313-771b-4319-ad7a-122ee78700ef |
Medium | Networking and Firewall | AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more) | Documentation |
| Serverless API Access Logging Setting Undefined 0a994e04-c6dc-471d-817e-d37451d18a3b |
Medium | Observability | AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more) | Documentation |
| Serverless API X-Ray Tracing Disabled c757c6a3-ac87-4b9d-b28d-e5a5add6a315 |
Medium | Observability | AWS Serverless API should have X-Ray Tracing enabled (read more) | Documentation |
| Serverless Function Without Dead Letter Queue cb2f612b-ed42-4ff5-9fb9-255c73d39a18 |
Low | Insecure Configurations | AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more) | Documentation |
| Serverless API Cache Cluster Disabled 60a05ede-0a68-4d0d-a58f-f538cf55ff79 |
Low | Insecure Configurations | AWS Serverless API should have cache clustering enabled (read more) | Documentation |
| Serverless Function Without X-Ray Tracing dc1ab429-1481-4540-9b1d-280e3f15f1f8 |
Low | Observability | AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more) | Documentation |