Terraform
Terraform Queries List¶
This page contains all queries from Terraform.
AWS¶
Bellow are listed queries related with Terraform AWS:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| IAM Role With Full Privileges b1ffa705-19a3-4b73-b9d0-0c97d0663842 |
High | Access Control | IAM role policy that allow full administrative privileges (for all resources) (read more) | Documentation |
| S3 Bucket Allows List Action From All Principals 66c6f96f-2d9e-417e-a998-9058aeeecd44 |
High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more) | Documentation |
| ECS Service Admin Role Is Present 3206240f-2e87-4e58-8d24-3e19e7c83d7c |
High | Access Control | ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more) | Documentation |
| S3 Bucket Access to Any Principal 7af43613-6bb9-4a0e-8c4d-1314b799425e |
High | Access Control | S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more) | Documentation |
| SNS Topic is Publicly Accessible b26d2b7e-60f6-413d-a3a1-a57db24aa2b3 |
High | Access Control | SNS Topic Policy should not allow any principal to access (read more) | Documentation |
| SQS Queue Exposed abb06e5f-ef9a-4a99-98c6-376d396bfcdf |
High | Access Control | Checks if the SQS Queue is exposed (read more) | Documentation |
| S3 Bucket With All Permissions a4966c4f-9141-48b8-a564-ffe9959945bc |
High | Access Control | S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more) | Documentation |
| IAM Policy Grants Full Permissions 575a2155-6af1-4026-b1af-d5bc8fe2a904 |
High | Access Control | IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more) | Documentation |
| S3 Bucket ACL Allows Read Or Write to All Users 38c5ee0d-7f22-4260-ab72-5073048df100 |
High | Access Control | S3 Buckets should not be readable and writable to all users (read more) | Documentation |
| S3 Bucket Allows Get Action From All Principals 1df37f4b-7197-45ce-83f8-9994d2fcf885 |
High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more) | Documentation |
| MSK Broker Is Publicly Accessible 54378d69-dd7c-4b08-a43e-80d563396857 |
High | Access Control | Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more) | Documentation |
| Neptune Cluster Instance is Publicly Accessible 9ba198e0-fef4-464a-8a4d-75ea55300de7 |
High | Access Control | Neptune Cluster Instance should not be publicly accessible (read more) | Documentation |
| S3 Bucket Allows Put Action From All Principals d24c0755-c028-44b1-b503-8e719c898832 |
High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more) | Documentation |
| S3 Bucket ACL Grants WRITE_ACP Permission 64a222aa-7793-4e40-915f-4b302c76e4d4 |
High | Access Control | S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more) | Documentation |
| SSO Policy with full privileges 132a8c31-9837-4203-9fd1-15ca210c7b73 |
High | Access Control | SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more) | Documentation |
| EFS With Vulnerable Policy fae52418-bb8b-4ac2-b287-0b9082d6a3fd |
High | Access Control | EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more) | Documentation |
| S3 Bucket Allows Public Policy 1a4bc881-9f69-4d44-8c9a-d37d08f54c50 |
High | Access Control | S3 bucket allows public policy (read more) | Documentation |
| Authentication Without MFA 3ddfa124-6407-4845-a501-179f90c65097 |
High | Access Control | Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more) | Documentation |
| IAM Policies With Full Privileges 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84 |
High | Access Control | IAM policies shouldn't allow full administrative privileges (for all resources) (read more) | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 57b9893d-33b1-4419-bcea-a717ea87e139 |
High | Access Control | S3 Buckets should not be readable to any authenticated user (read more) | Documentation |
| Amazon DMS Replication Instance Is Publicly Accessible 030d3b18-1821-45b4-9e08-50efbe7becbb |
High | Access Control | Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more) | Documentation |
| S3 Bucket Allows Delete Action From All Principals ffdf4b37-7703-4dfe-a682-9d2e99bc6c09 |
High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more) | Documentation |
| EBS Volume Snapshot Not Encrypted e6b4b943-6883-47a9-9739-7ada9568f8ca |
High | Encryption | The value on AWS EBS Volume Snapshot Encryptation must be true (read more) | Documentation |
| S3 Bucket Object Not Encrypted 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e |
High | Encryption | S3 Bucket Object should have server-side encryption enabled (read more) | Documentation |
| DOCDB Cluster Without KMS 4766d3ea-241c-4ee6-93ff-c380c996bd1a |
High | Encryption | AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more) | Documentation |
| RDS Database Cluster not Encrypted 656880aa-1388-488f-a6d4-8f73c23149b2 |
High | Encryption | RDS Database Cluster Encryption should be enabled (read more) | Documentation |
| Cloudfront Viewer Protocol Policy Allows HTTP 55af1353-2f62-4fa0-a8e1-a210ca2708f5 |
High | Encryption | Checks if the connection between CloudFront and the viewer is encrypted (read more) | Documentation |
| Athena Workgroup Not Encrypted d364984a-a222-4b5f-a8b0-e23ab19ebff3 |
High | Encryption | Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more) | Documentation |
| DAX Cluster Not Encrypted f11aec39-858f-4b6f-b946-0a1bf46c0c87 |
High | Encryption | AWS DAX Cluster should have server-side encryption at rest (read more) | Documentation |
| Athena Database Not Encrypted b2315cae-b110-4426-81e0-80bb8640cdd3 |
High | Encryption | AWS Athena Database data in S3 should be encrypted (read more) | Documentation |
| CodeBuild Project Encrypted With AWS Managed Key 3deec14b-03d2-4d27-9670-7d79322e3340 |
High | Encryption | CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more) | Documentation |
| Redshift Not Encrypted cfdcabb0-fc06-427c-865b-c59f13e898ce |
High | Encryption | AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more) | Documentation |
| Sagemaker Endpoint Configuration Encryption Disabled 58b35504-0287-4154-bf69-02c0573deab8 |
High | Encryption | Sagemaker endpoint configuration should encrypt data (read more) | Documentation |
| Aurora With Disabled at Rest Encryption 1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e |
High | Encryption | Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more) | Documentation |
| Redis Not Compliant 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4 |
High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more) | Documentation |
| AMI Not Encrypted 8bbb242f-6e38-4127-86d4-d8f0b2687ae2 |
High | Encryption | AWS AMI Encryption is not enabled (read more) | Documentation |
| MSK Cluster Encryption Disabled 6db52fa6-d4da-4608-908a-89f0c59e743e |
High | Encryption | Ensure MSK Cluster encryption in rest and transit is enabled (read more) | Documentation |
| EFS Without KMS 25d251f3-f348-4f95-845c-1090e41a615c |
High | Encryption | Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more) | Documentation |
| EBS Default Encryption Disabled 3d3f6270-546b-443c-adb4-bb6fb2187ca6 |
High | Encryption | EBS Encryption should be enabled (read more) | Documentation |
| User Data Shell Script Is Encoded 9cf718ce-46f9-430e-89ec-c456f8b469ee |
High | Encryption | User Data Shell Script must be encoded (read more) | Documentation |
| ECS Task Definition Container With Plaintext Password d40210ea-64b9-4cce-a4fb-e8604f3c062c |
High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more) | Documentation |
| Glue Data Catalog Encryption Disabled 01d50b14-e933-4c99-b314-6d08cd37ad35 |
High | Encryption | Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more) | Documentation |
| RDS Storage Not Encrypted 3199c26c-7871-4cb3-99c2-10a59244ce7f |
High | Encryption | RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more) | Documentation |
| ELB Using Insecure Protocols 126c1788-23c2-4a10-906c-ef179f4f96ec |
High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more) | Documentation |
| ELB Using Weak Ciphers 4a800e14-c94a-442d-9067-5a2e9f6c0a4c |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more) | Documentation |
| User Data Contains Encoded Private Key 443488f5-c734-460b-a36d-5b3f330174dc |
High | Encryption | User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more) | Documentation |
| ECS Task Definition Volume Not Encrypted 4d46ff3b-7160-41d1-a310-71d6d370b08f |
High | Encryption | AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted (read more) | Documentation |
| EKS Cluster Encryption Disabled 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281 |
High | Encryption | EKS Cluster should be encrypted (read more) | Documentation |
| IAM Database Auth Not Enabled 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6 |
High | Encryption | IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more) | Documentation |
| DOCDB Cluster Not Encrypted bc1f9009-84a0-490f-ae09-3e0ea6d74ad6 |
High | Encryption | AWS DOCDB Cluster storage should be encrypted (read more) | Documentation |
| Glue Security Configuration Encryption Disabled ad5b4e97-2850-4adf-be17-1d293e0b85ee |
High | Encryption | Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more) | Documentation |
| Workspaces Workspace Volume Not Encrypted b9033580-6886-401a-8631-5f19f5bb24c7 |
High | Encryption | AWS Workspaces Workspace data stored in volumes should be encrypted (read more) | Documentation |
| Sagemaker Notebook Instance Without KMS f3674e0c-f6be-43fa-b71c-bf346d1aed99 |
High | Encryption | AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more) | Documentation |
| EFS Volume With Disabled Transit Encryption 4c3267c9-b2ac-40bf-93f6-b610fb8c7b9f |
High | Encryption | Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more) | Documentation |
| Kinesis SSE Not Configured 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3 |
High | Encryption | AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more) | Documentation |
| Launch Configuration Is Not Encrypted 4de9de27-254e-424f-bd70-4c1e95790838 |
High | Encryption | Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more) | Documentation |
| CA Certificate Identifier Is Outdated 9f40c07e-699e-4410-8856-3ba0f2e3a2dd |
High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. (read more) | Documentation |
| S3 Bucket SSE Disabled 6726dcc0-5ff5-459d-b473-a780bef7665c |
High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more) | Documentation |
| EFS Not Encrypted 48207659-729f-4b5c-9402-f884257d794f |
High | Encryption | Elastic File System (EFS) must be encrypted (read more) | Documentation |
| DB Instance Storage Not Encrypted 08bd0760-8752-44e1-9779-7bb369b2b4e4 |
High | Encryption | AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more) | Documentation |
| Secure Ciphers Disabled 5c0003fb-9aa0-42c1-9da3-eb0e332bef21 |
High | Encryption | Check if secure ciphers aren't used in CloudFront (read more) | Documentation |
| Kinesis Not Encrypted With KMS 862fe4bf-3eec-4767-a517-40f378886b88 |
High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS (read more) | Documentation |
| API Gateway Method Settings Cache Not Encrypted b7c9a40c-23e4-4a2d-8d39-a3352f10f288 |
High | Encryption | API Gateway Method Settings Cache should be encrypted (read more) | Documentation |
| No Password Policy Enabled b592ffd4-0577-44b6-bd35-8c5ee81b5918 |
High | Insecure Configurations | IAM password policies should be set through the password minimum length and reset password attributes (read more) | Documentation |
| IAM User Policy Without MFA b5681959-6c09-4f55-b42b-c40fa12d03ec |
High | Insecure Configurations | Check if the root user is authenticated with MFA (read more) | Documentation |
| API Gateway Without Security Policy 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b |
High | Insecure Configurations | API Gateway should have a Security Policy defined and use TLS 1.2. (read more) | Documentation |
| KMS Key With Full Permissions 7ebc9038-0bde-479a-acc4-6ed7b6758899 |
High | Insecure Configurations | The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more) | Documentation |
| DB Instance Publicly Accessible 35113e6f-2c6b-414d-beec-7a9482d3b2d1 |
High | Insecure Configurations | RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more) | Documentation |
| Batch Job Definition With Privileged Container Properties 66cd88ac-9ddf-424a-b77e-e55e17630bee |
High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties (read more) | Documentation |
| Lambda Function With Privileged Role 1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2 |
High | Insecure Configurations | It is not advisable for AWS Lambda Functions to have privileged permissions. (read more) | Documentation |
| Redshift Publicly Accessible af173fde-95ea-4584-b904-bb3923ac4bda |
High | Insecure Configurations | AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more) | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 00e5e55e-c2ff-46b3-a757-a7a1cd802456 |
High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 (read more) | Documentation |
| DB Security Group Has Public Interface f0d8781f-99bf-4958-9917-d39283b168a0 |
High | Insecure Configurations | The CIDR IP should not be a public interface (read more) | Documentation |
| Root Account Has Active Access Keys 970d224d-b42a-416b-81f9-8f4dfe70c4bc |
High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more) | Documentation |
| S3 Bucket with Unsecured CORS Rule 98a8f708-121b-455b-ae2f-da3fb59d17e1 |
High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more) | Documentation |
| S3 Static Website Host Enabled 42bb6b7f-6d54-4428-b707-666f669d94fb |
High | Insecure Configurations | Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more) | Documentation |
| S3 Bucket Without Restriction Of Public Bucket 1ec253ab-c220-4d63-b2de-5b40e0af9293 |
High | Insecure Configurations | S3 bucket without restriction of public bucket (read more) | Documentation |
| ECS Task Definition Network Mode Not Recommended 9f4a9409-9c60-4671-be96-9716dbf63db1 |
High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more) | Documentation |
| S3 Bucket Without Enabled MFA Delete c5b31ab9-0f26-4a49-b8aa-4cc064392f4d |
High | Insecure Configurations | S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= |
Documentation |
| Vulnerable Default SSL Certificate 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef |
High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more) | Documentation |
| EKS Cluster Has Public Access CIDRs 61cf9883-1752-4768-b18c-0d57f2737709 |
High | Networking and Firewall | Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more) | Documentation |
| Unknown Port Exposed To Internet 590d878b-abdc-428f-895a-e2b68a0e1998 |
High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet (read more) | Documentation |
| Unrestricted Security Group Ingress 4728cd65-a20c-49da-8b31-9c08b423e4db |
High | Networking and Firewall | Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more) | Documentation |
| RDS Associated with Public Subnet 2f737336-b18a-4602-8ea0-b200312e1ac1 |
High | Networking and Firewall | RDS should not run in public subnet (read more) | Documentation |
| Route53 Record Undefined 25db74bf-fa3b-44da-934e-8c3e005c0453 |
High | Networking and Firewall | Check if Record is set (read more) | Documentation |
| Default Security Groups With Unrestricted Traffic 46883ce1-dc3e-4b17-9195-c6a601624c73 |
High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. (read more) | Documentation |
| Elasticsearch with HTTPS disabled 2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e |
High | Networking and Firewall | Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more) | Documentation |
| DB Security Group With Public Scope 1e0ef61b-ad85-4518-a3d3-85eaad164885 |
High | Networking and Firewall | The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more) | Documentation |
| Security Group With Unrestricted Access To SSH 65905cec-d691-4320-b320-2000436cb696 |
High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Security Group (read more) | Documentation |
| Network ACL With Unrestricted Access To SSH 3af7f2fd-06e6-4dab-b996-2912bea19ba4 |
High | Networking and Firewall | 'SSH' (TCP:22) should not be public in AWS Network ACL (read more) | Documentation |
| VPC Peering Route Table with Unrestricted CIDR b3a41501-f712-4c4f-81e5-db9a7dc0e34e |
High | Networking and Firewall | VPC Peering Route Table should restrict CIDR (read more) | Documentation |
| VPC Default Security Group Accepts All Traffic 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75 |
High | Networking and Firewall | Default Security Group attached to every VPC should restrict all traffic (read more) | Documentation |
| Network ACL With Unrestricted Access To RDP a20be318-cac7-457b-911d-04cc6e812c25 |
High | Networking and Firewall | 'RDP' (TCP:3389) should not be public in AWS Network ACL (read more) | Documentation |
| DB Security Group Open To Large Scope 4f615f3e-fb9c-4fad-8b70-2e9f781806ce |
High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. (read more) | Documentation |
| HTTP Port Open To Internet ffac8a12-322e-42c1-b9b9-81ff85c39ef7 |
High | Networking and Firewall | The HTTP port is open to the internet in a Security Group (read more) | Documentation |
| Sensitive Port Is Exposed To Entire Network 381c3f2a-ef6f-4eff-99f7-b169cda3422c |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more) | Documentation |
| EKS node group remote access disabled ba40ace1-a047-483c-8a8d-bc2d3a67a82d |
High | Networking and Firewall | EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more) | Documentation |
| EC2 Instance Has Public IP 5a2486aa-facf-477d-a5c1-b010789459ce |
High | Networking and Firewall | EC2 Instance should not have a public IP address. (read more) | Documentation |
| Remote Desktop Port Open To Internet 151187cb-0efc-481c-babd-ad24e3c9bc22 |
High | Networking and Firewall | The Remote Desktop port is open to the internet in a Security Group (read more) | Documentation |
| ALB Listening on HTTP de7f5e83-da88-4046-871f-ea18504b1d43 |
High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP (read more) | Documentation |
| CloudWatch IAM Policy Changes Alarm Missing eaaba502-2f94-411a-a3c2-83d63cc1776d |
High | Observability | Ensure a log metric filter and alarm exist for IAM policy changes (read more) | Documentation |
| CMK Rotation Disabled 22fbfeac-7b5a-421a-8a27-7a2178bb910b |
High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more) | Documentation |
| CloudTrail Logging Disabled 4bb76f17-3d63-4529-bdca-2b454529d774 |
High | Observability | Checks if logging is enabled for CloudTrail. (read more) | Documentation |
| CloudWatch Console Sign-in Without MFA Alarm Missing 44ceb4fa-0897-4fd2-b676-30e7a58f2933 |
High | Observability | Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more) | Documentation |
| CloudWatch Root Account Use Missing 8b1b1e67-6248-4dca-bbad-93486bb181c0 |
High | Observability | Ensure a log metric filter and alarm exist for root acount usage (read more) | Documentation |
| KMS Key With No Deletion Window 0b530315-0ea4-497f-b34c-4ff86268f59d |
High | Observability | AWS KMS Key should have a valid deletion window (read more) | Documentation |
| CloudTrail Log Files S3 Bucket is Publicly Accessible bd0088a5-c133-4b20-b129-ec9968b16ef3 |
High | Observability | CloudTrail Log Files S3 Bucket should not be publicly accessible (read more) | Documentation |
| CloudTrail Log Files S3 Bucket with Logging Disabled ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4 |
High | Observability | CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more) | Documentation |
| CloudWatch Unauthorized Access Alarm Missing 4c18a45b-4ab1-4790-9f83-399ac695f1e5 |
High | Observability | Ensure a log metric filter and alarm exist for unauthorized API calls (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:AttachRolePolicy' e227091e-2228-4b40-b046-fc13650d8e88 |
Medium | Access Control | User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' 7d544dad-8a6c-431c-84c1-5f07fe9afc0e |
Medium | Access Control | Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' f906113d-cdc0-415a-ba60-609cc6daaf4d |
Medium | Access Control | Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' 571254d8-aa6a-432e-9725-535d3ef04d69 |
Medium | Access Control | Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:PutRolePolicy' eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7 |
Medium | Access Control | Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Secrets Manager With Vulnerable Policy fa00ce45-386d-4718-8392-fb485e1f3c5b |
Medium | Access Control | Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more) | Documentation |
| Certificate Has Expired c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6 |
Medium | Access Control | Expired SSL/TLS certificates should be removed (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:PutUserPolicy' 8f75840d-9ee7-42f3-b203-b40e3979eb12 |
Medium | Access Control | Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' 19ffbe31-9d72-4379-9768-431195eae328 |
Medium | Access Control | User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| SES Policy With Allowed IAM Actions 34b921bd-90a0-402e-a0a5-dc73371fd963 |
Medium | Access Control | SES policy should not allow IAM actions to all principals (read more) | Documentation |
| IAM Policies Attached To User b4378389-a9aa-44ee-91e7-ef183f11079e |
Medium | Access Control | IAM policies should be attached only to groups or roles (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' 78f1ec6f-5659-41ea-bd48-d0a142dce4f2 |
Medium | Access Control | Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| SNS Topic Publicity Has Allow and NotAction Simultaneously 5ea624e4-c8b1-4bb3-87a4-4235a776adcc |
Medium | Access Control | SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:PutRolePolicy' c0c1e744-0f37-445e-924a-1846f0839f69 |
Medium | Access Control | Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Public and Private EC2 Share Role c53c7a89-f9d7-4c7b-8b66-8a555be99593 |
Medium | Access Control | Public and private EC2 istances should not share the same role. (read more) | Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA 09c35abf-5852-4622-ac7a-b987b331232e |
Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' 6deb34e2-5d9c-499a-801b-ea6d9eda894f |
Medium | Access Control | User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:CreatePolicyVersion' 1743f5f1-0bb0-4934-acef-c80baa5dadfa |
Medium | Access Control | User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:AddUserToGroup' bf9d42c7-c2f9-4dfe-942c-c8cc8249a081 |
Medium | Access Control | User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Lambda Permission Principal Is Wildcard e08ed7eb-f3ef-494d-9d22-2e3db756a347 |
Medium | Access Control | Lambda Permission Principal should not contain a wildcard. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:CreateAccessKey' 5b4d4aee-ac94-4810-9611-833636e5916d |
Medium | Access Control | Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Neptune Cluster With IAM Database Authentication Disabled c91d7ea0-d4d1-403b-8fe1-c9961ac082c5 |
Medium | Access Control | Neptune Cluster should have IAM Database Authentication enabled (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' 118281d0-6471-422e-a7c5-051bc667926e |
Medium | Access Control | Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' 15e6ad8c-f420-49a6-bafb-074f5eb1ec74 |
Medium | Access Control | Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' 94fbe150-27e3-4eba-9ca6-af32865e4503 |
Medium | Access Control | User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:PutGroupPolicy' e77c89f6-9c85-49ea-b95b-5f960fe5be92 |
Medium | Access Control | Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Lambda With Vulnerable Policy ad9dabc7-7839-4bae-a957-aa9120013f39 |
Medium | Access Control | The attribute 'action' should not have wildcard (read more) | Documentation |
| Policy Without Principal bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54 |
Medium | Access Control | All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more) | Documentation |
| Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' eda48c88-2b7d-4e34-b6ca-04c0194aee17 |
Medium | Access Control | Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' f465fff1-0a0f-457d-aa4d-1bddb6f204ff |
Medium | Access Control | Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ad296c0d-8131-4d6b-b030-1b0e73a99ad3 |
Medium | Access Control | Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' 034d0aee-620f-4bf7-b7fb-efdf661fdb9e |
Medium | Access Control | Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:CreateLoginProfile' 0fd7d920-4711-46bd-aff2-d307d82cd8b7 |
Medium | Access Control | User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' 30b88745-eebe-4ecb-a3a9-5cf886e96204 |
Medium | Access Control | Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' 9a205ba3-0dd1-42eb-8d54-2ffec836b51a |
Medium | Access Control | Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| SSO Permission With Inadequate User Session Duration ce9dfce0-5fc8-433b-944a-3b16153111a8 |
Medium | Access Control | SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:PutRolePolicy' eeb4d37a-3c59-4789-a00c-1509bc3af1e5 |
Medium | Access Control | User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| IAM Role Policy passRole Allows All e39bee8c-fe54-4a3f-824d-e5e2d1cca40a |
Medium | Access Control | Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more) | Documentation |
| SQS Policy Allows All Actions 816ea8cf-d589-442d-a917-2dd0ce0e45e3 |
Medium | Access Control | SQS policy allows ALL (*) actions (read more) | Documentation |
| API Gateway Method Does Not Contains An API Key 671211c5-5d2a-4e97-8867-30fc28b02216 |
Medium | Access Control | An API Key should be required on a method request. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' 35ccf766-0e4d-41ed-9ec4-2dab155082b4 |
Medium | Access Control | Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:PutGroupPolicy' 8bfbf7ab-d5e8-4100-8618-798956e101e0 |
Medium | Access Control | User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267 |
Medium | Access Control | Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' b69247e5-7e73-464e-ba74-ec9b715c6e12 |
Medium | Access Control | User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' 8055dec2-efb8-4fe6-8837-d9bed6ff202a |
Medium | Access Control | User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' 8f3c16b3-354d-45db-8ad5-5066778a9485 |
Medium | Access Control | Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:AttachUserPolicy' 70cb518c-d990-46f6-bc05-44a5041493d6 |
Medium | Access Control | User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Elasticsearch Domain With Vulnerable Policy 16c4216a-50d3-4785-bfb2-4adb5144a8ba |
Medium | Access Control | Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more) | Documentation |
| User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' 9b877bd8-94b4-4c10-a060-8e0436cc09fa |
Medium | Access Control | User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Glue With Vulnerable Policy d25edb51-07fb-4a73-97d4-41cecdc53a22 |
Medium | Access Control | Glue policy should avoid wildcard in 'principals' and 'actions' (read more) | Documentation |
| AMI Shared With Multiple Accounts ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698 |
Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image (read more) | Documentation |
| Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' 0a592060-8166-49f5-8e65-99ac6dce9871 |
Medium | Access Control | Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:AttachUserPolicy' 7c96920c-6fd0-449d-9a52-0aa431b6beaf |
Medium | Access Control | Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' 70b42736-efee-4bce-80d5-50358ed94990 |
Medium | Access Control | Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:AddUserToGroup' b8a31292-509d-4b61-bc40-13b167db7e9c |
Medium | Access Control | Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:AddUserToGroup' 970ed7a2-0aca-4425-acf1-0453c9ecbca1 |
Medium | Access Control | Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| IAM Access Key Is Exposed 7081f85c-b94d-40fd-8b45-a4f1cac75e46 |
Medium | Access Control | IAM Access Key should not be active for root users (read more) | Documentation |
| Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' fa62ac4f-f5b9-45b9-97c1-625c8b6253ca |
Medium | Access Control | Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' 43a41523-386a-4cb1-becb-42af6b414433 |
Medium | Access Control | User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:PutUserPolicy' 60263b4a-6801-4587-911d-919c37ed733b |
Medium | Access Control | Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| IAM User With Access To Console 9ec311bf-dfd9-421f-8498-0b063c8bc552 |
Medium | Access Control | AWS IAM Users should not have access to console (read more) | Documentation |
| Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' c583f0f9-7dfd-476b-a056-f47c62b47b46 |
Medium | Access Control | Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' 3dd96caa-0b5f-4a85-b929-acfac4646cc2 |
Medium | Access Control | Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| CloudWatch Logs Destination With Vulnerable Policy db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8 |
Medium | Access Control | CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ec49cbfd-fae4-45f3-81b1-860526d66e3f |
Medium | Access Control | Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:PutUserPolicy' 0c10d7da-85c4-4d62-b2a8-d6c104f1bd77 |
Medium | Access Control | User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' 04c686f1-e0cd-4812-88e1-4e038410074c |
Medium | Access Control | Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Public Lambda via API Gateway 3ef8696c-e4ae-4872-92c7-520bb44dfe77 |
Medium | Access Control | Allowing to run lambda function using public API Gateway (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' 33627268-1445-4385-988a-318fd9d1a512 |
Medium | Access Control | User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' f1173d8c-3264-4148-9fdb-61181e031b51 |
Medium | Access Control | Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:CreateAccessKey' 113208f2-a886-4526-9ecc-f3218600e12c |
Medium | Access Control | User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' 6d23d87e-1c5b-4308-b224-92624300f29b |
Medium | Access Control | User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| API Gateway Without Configured Authorizer 0a96ce49-4163-4ee6-8169-eb3b0797d694 |
Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' 7782d4b3-e23e-432b-9742-d9528432e771 |
Medium | Access Control | Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| S3 Bucket Allows Public ACL d0cc8694-fcad-43ff-ac86-32331d7e867f |
Medium | Access Control | S3 bucket allows public ACL (read more) | Documentation |
| Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' be2aa235-bd93-4b68-978a-1cc65d49082f |
Medium | Access Control | Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ee49557d-750c-4cc1-aa95-94ab36cbefde |
Medium | Access Control | Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| REST API With Vulnerable Policy b161c11b-a59b-4431-9a29-4e19f63e6b27 |
Medium | Access Control | REST API policy should avoid wildcard in 'Action' and 'Principal' (read more) | Documentation |
| Elasticsearch Without IAM Authentication e7530c3c-b7cf-4149-8db9-d037a0b5268e |
Medium | Access Control | AWS Elasticsearch should ensure IAM Authentication (read more) | Documentation |
| ECR Repository Is Publicly Accessible e86e26fc-489e-44f0-9bcd-97305e4ba69a |
Medium | Access Control | Amazon ECR image repositories shouldn't have public access (read more) | Documentation |
| Role With Privilege Escalation By Actions 'iam:PutGroupPolicy' d6047119-a0b2-4b59-a4f2-127a36fb685b |
Medium | Access Control | Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:CreateAccessKey' 846646e3-2af1-428c-ac5d-271eccfa6faf |
Medium | Access Control | Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' db78d14b-10e5-4e6e-84b1-dace6327b1ec |
Medium | Access Control | Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' 89561b03-cb35-44a9-a7e9-8356e71606f4 |
Medium | Access Control | User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more) | Documentation |
| SQS Policy With Public Access 730675f9-52ed-49b6-8ead-0acb5dd7df7f |
Medium | Access Control | Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more) | Documentation |
| Auto Scaling Group With No Associated ELB 8e94dced-9bcc-4203-8eb7-7e41202b2505 |
Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more) | Documentation |
| ElastiCache Nodes Not Created Across Multi AZ 6db03a91-f933-4f13-ab38-a8b87a7de54d |
Medium | Availability | ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more) | Documentation |
| CMK Is Unusable 7350fa23-dcf7-4938-916d-6a60b0c73b50 |
Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more) | Documentation |
| ECS Service Without Running Tasks 91f16d09-689e-4926-aca7-155157f634ed |
Medium | Availability | ECS Service should have at least 1 task running (read more) | Documentation |
| Stack Retention Disabled 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97 |
Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more) | Documentation |
| ElastiCache Redis Cluster Without Backup 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab |
Medium | Backup | ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more) | Documentation |
| RDS With Backup Disabled 1dc73fb4-5b51-430c-8c5f-25dcf9090b02 |
Medium | Backup | Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more) | Documentation |
| Cognito UserPool Without MFA ec28bf61-a474-4dbe-b414-6dd3a067d6f0 |
Medium | Best Practices | AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more) | Documentation |
| IAM Password Without Minimum Length 1bc1c685-e593-450e-88fb-19db4c82aa1d |
Medium | Best Practices | IAM password should have the required minimum length (read more) | Documentation |
| ALB Not Dropping Invalid Headers 6e3fd2ed-5c83-4c68-9679-7700d224d379 |
Medium | Best Practices | It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more) | Documentation |
| Password Without Reuse Prevention 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a |
Medium | Best Practices | Check if IAM account password has the reuse password configured with 24 (read more) | Documentation |
| RDS Cluster With Backup Disabled e542bd46-58c4-4e0f-a52a-1fb4f9548e02 |
Medium | Best Practices | RDS Cluster backup retention period should be specifically defined (read more) | Documentation |
| IAM Password Without Symbol 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48 |
Medium | Best Practices | IAM password should have the required symbols (read more) | Documentation |
| IAM Password Without Uppercase Letter c5ff7bc9-d8ea-46dd-81cb-8286f3222249 |
Medium | Best Practices | IAM password should have at least one uppercase letter (read more) | Documentation |
| Misconfigured Password Policy Expiration ce60d060-efb8-4bfd-9cf7-ff8945d00d90 |
Medium | Best Practices | No password expiration policy (read more) | Documentation |
| IAM Password Without Lowercase Letter bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9 |
Medium | Best Practices | IAM Password should have at least one lowercase letter (read more) | Documentation |
| Stack Without Template 91bea7b8-0c31-4863-adc9-93f6177266c4 |
Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more) | Documentation |
| AmazonMQ Broker Encryption Disabled 3db3f534-e3a3-487f-88c7-0a9fbf64b702 |
Medium | Encryption | AmazonMQ Broker should have Encryption Options defined (read more) | Documentation |
| Unscanned ECR Image 9630336b-3fed-4096-8173-b9afdfe346a7 |
Medium | Encryption | Checks if the ECR Image has been scanned (read more) | Documentation |
| Redis Disabled 4bd15dd9-8d5e-4008-8532-27eb0c3706d3 |
Medium | Encryption | ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more) | Documentation |
| CloudWatch Log Group Without KMS 0afbcfe9-d341-4b92-a64c-7e6de0543879 |
Medium | Encryption | AWS CloudWatch Log groups should be encrypted using KMS (read more) | Documentation |
| ElasticSearch Not Encrypted At Rest 24e16922-4330-4e9d-be8a-caa90299466a |
Medium | Encryption | Check if ElasticSearch encryption is disabled at Rest (read more) | Documentation |
| SNS Topic Encrypted With AWS Managed Key b1a72f66-2236-4f3b-87ba-0da1b366956f |
Medium | Encryption | SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more) | Documentation |
| ElasticSearch Encryption With KMS Disabled 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2 |
Medium | Encryption | Check if any ElasticSearch domain isn't encrypted with KMS. (read more) | Documentation |
| DOCDB Cluster Encrypted With AWS Managed Key 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d |
Medium | Encryption | DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more) | Documentation |
| SNS Topic Not Encrypted 28545147-2fc6-42d5-a1f9-cf226658e591 |
Medium | Encryption | SNS (Simple Notification Service) Topic should be encrypted (read more) | Documentation |
| Secretsmanager Secret Encrypted With AWS Managed Key b0d3ef3f-845d-4b1b-83d6-63a5a380375f |
Medium | Encryption | Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more) | Documentation |
| ElastiCache Replication Group Not Encrypted At Transit 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e |
Medium | Encryption | ElastiCache Replication Group encryption should be enabled at Transit (read more) | Documentation |
| Elasticsearch Domain Not Encrypted Node To Node 967eb3e6-26fc-497d-8895-6428beb6e8e2 |
Medium | Encryption | Elasticsearch Domain encryption should be enabled node to node (read more) | Documentation |
| Secretsmanager Secret Without KMS a2f548f2-188c-4fff-b172-e9a6acb216bd |
Medium | Encryption | AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more) | Documentation |
| SSM Session Transit Encryption Disabled ce60cc6b-6831-4bd7-84a2-cc7f8ee71433 |
Medium | Encryption | SSM Session should be encrypted in transit (read more) | Documentation |
| Neptune Database Cluster Encryption Disabled 98d59056-f745-4ef5-8613-32bca8d40b7e |
Medium | Encryption | Neptune database cluster storage should have encryption enabled (read more) | Documentation |
| DynamoDB Table Not Encrypted ce089fd4-1406-47bd-8aad-c259772bb294 |
Medium | Encryption | AWS DynamoDB Tables should have server-side encryption (read more) | Documentation |
| SQS With SSE Disabled 6e8849c1-3aa7-40e3-9063-b85ee300f29f |
Medium | Encryption | Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more) | Documentation |
| EBS Volume Encryption Disabled cc997676-481b-4e93-aa81-d19f8c5e9b12 |
Medium | Encryption | EBS volumes should be encrypted (read more) | Documentation |
| ElastiCache Replication Group Not Encrypted At Rest 76976de7-c7b1-4f64-a94f-90c1345914c2 |
Medium | Encryption | ElastiCache Replication Group encryption should be enabled at Rest (read more) | Documentation |
| API Gateway With Invalid Compression ed35928e-195c-4405-a252-98ccb664ab7b |
Medium | Encryption | API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more) | Documentation |
| Config Rule For Encrypted Volumes Disabled abdb29d4-5ca1-4e91-800b-b3569bbd788c |
Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. (read more) | Documentation |
| S3 Bucket Policy Accepts HTTP Requests 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9 |
Medium | Encryption | S3 Bucket policy should not accept HTTP Requests (read more) | Documentation |
| Service Control Policies Disabled 5ba6229c-8057-433e-91d0-21cf13569ca9 |
Medium | Insecure Configurations | Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more) | Documentation |
| EKS Cluster Has Public Access 42f4b905-3736-4213-bfe9-c0660518cda8 |
Medium | Insecure Configurations | Amazon EKS public endpoint shoud be set to false (read more) | Documentation |
| API Gateway With Open Access 15ccec05-5476-4890-ad19-53991eba1db8 |
Medium | Insecure Configurations | API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more) | Documentation |
| IAM User Has Too Many Access Keys 3561130e-9c5f-485b-9e16-2764c82763e5 |
Medium | Insecure Configurations | Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more) | Documentation |
| Redshift Cluster Without VPC 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3 |
Medium | Insecure Configurations | Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more) | Documentation |
| AWS Password Policy With Unchangeable Passwords 9ef7d25d-9764-4224-9968-fa321c56ef76 |
Medium | Insecure Configurations | Unchangeable passwords in AWS password policy (read more) | Documentation |
| Certificate RSA Key Bytes Lower Than 256 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b |
Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more) | Documentation |
| ECR Image Tag Not Immutable d1846b12-20c5-4d45-8798-fc35b79268eb |
Medium | Insecure Configurations | ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more) | Documentation |
| API Gateway Without SSL Certificate 0b4869fc-a842-4597-aa00-1294df425440 |
Medium | Insecure Configurations | SSL Client Certificate should be enabled (read more) | Documentation |
| Instance With No VPC a31a5a29-718a-4ff4-8001-a69e5e4d029e |
Medium | Insecure Configurations | EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more) | Documentation |
| MQ Broker Is Publicly Accessible 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb |
Medium | Insecure Configurations | Check if any MQ Broker is not publicly accessible (read more) | Documentation |
| API Gateway Endpoint Config is Not Private 6b2739db-9c49-4db7-b980-7816e0c248c1 |
Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more) | Documentation |
| Dynamodb VPC Endpoint Without Route Table Association 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d |
Medium | Networking and Firewall | Dynamodb VPC Endpoint should be associated with Route Table Association (read more) | Documentation |
| VPC Without Network Firewall fd632aaf-b8a1-424d-a4d1-0de22fd3247a |
Medium | Networking and Firewall | VPC should have a Network Firewall associated (read more) | Documentation |
| API Gateway without WAF a186e82c-1078-4a7b-85d8-579561fde884 |
Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled (read more) | Documentation |
| VPC Subnet Assigns Public IP 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c |
Medium | Networking and Firewall | VPC Subnet should not assign public IP (read more) | Documentation |
| Sensitive Port Is Exposed To Small Public Network e35c16a2-d54e-419d-8546-a804d8e024d0 |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more) | Documentation |
| SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 54c417bf-c762-48b9-9d31-b3d87047e3f0 |
Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more) | Documentation |
| Sensitive Port Is Exposed To Wide Private Network 92fe237e-074c-4262-81a4-2077acb928c1 |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more) | Documentation |
| SQS VPC Endpoint Without DNS Resolution e9b7acf9-9ba0-4837-a744-31e7df1e434d |
Medium | Networking and Firewall | SQS VPC Endpoint should have DNS resolution enabled (read more) | Documentation |
| ALB Is Not Integrated With WAF 0afa6ab8-a047-48cf-be07-93a2f8c34cf7 |
Medium | Networking and Firewall | All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more) | Documentation |
| Configuration Aggregator to All Regions Disabled ac5a0bc0-a54c-45aa-90c3-15f7703b9132 |
Medium | Observability | AWS Config Configuration Aggregator All Regions must be set to True (read more) | Documentation |
| ElasticSearch Without Slow Logs e979fcbc-df6c-422d-9458-c33d65e71c45 |
Medium | Observability | Ensure that AWS Elasticsearch enables support for slow logs (read more) | Documentation |
| CloudWatch Management Console Auth Failed Alarm Missing 5864d189-ee9a-4009-ac0c-8a582e6b7919 |
Medium | Observability | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more) | Documentation |
| Stack Notifications Disabled b72d0026-f649-4c91-a9ea-15d8f681ac09 |
Medium | Observability | AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more) | Documentation |
| API Gateway Deployment Without Access Log Setting 625abc0e-f980-4ac9-a775-f7519ee34296 |
Medium | Observability | API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more) | Documentation |
| CloudFront Logging Disabled 94690d79-b3b0-43de-b656-84ebef5753e5 |
Medium | Observability | AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more) | Documentation |
| CloudWatch S3 policy Change Alarm Missing 27c6a499-895a-4dc7-9617-5c485218db13 |
Medium | Observability | Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more) | Documentation |
| MSK Cluster Logging Disabled 2f56b7ab-7fba-4e93-82f0-247e5ddeb239 |
Medium | Observability | Ensure MSK Cluster Logging is enabled (read more) | Documentation |
| GuardDuty Detector Disabled 704dadd3-54fc-48ac-b6a0-02f170011473 |
Medium | Observability | Make sure that Amazon GuardDuty is Enabled (read more) | Documentation |
| S3 Bucket Logging Disabled f861041c-8c9f-4156-acfc-5e6e524f5884 |
Medium | Observability | Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more) | Documentation |
| CloudTrail Multi Region Disabled 8173d5eb-96b5-4aa6-a71b-ecfa153c123d |
Medium | Observability | CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more) | Documentation |
| Cloudwatch Cloudtrail Configuration Changes Alarm Missing 0f6cbf69-41bb-47dc-93f3-3844640bf480 |
Medium | Observability | Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more) | Documentation |
| CloudWatch Logging Disabled 7dbba512-e244-42dc-98bb-422339827967 |
Medium | Observability | Check if CloudWatch logging is disabled for Route53 hosted zones (read more) | Documentation |
| CloudWatch Metrics Disabled 081069cb-588b-4ce1-884c-2a1ce3029fe5 |
Medium | Observability | Checks if CloudWatch Metrics is Enabled (read more) | Documentation |
| S3 Bucket Object Level CloudTrail Logging Disabled a8fc2180-b3ac-4c93-bd0d-a55b974e4b07 |
Medium | Observability | S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more) | Documentation |
| S3 Bucket Without Versioning 568a4d22-3517-44a6-a7ad-6a7eed88722c |
Medium | Observability | S3 bucket should have versioning enabled (read more) | Documentation |
| CloudWatch Without Retention Period Specified ef0b316a-211e-42f1-888e-64efe172b755 |
Medium | Observability | AWS CloudWatch Log groups should have retention days specified (read more) | Documentation |
| API Gateway Access Logging Disabled 1b6799eb-4a7a-4b04-9001-8cceb9999326 |
Medium | Observability | API Gateway should have Access Log Settings defined (read more) | Documentation |
| CloudTrail Not Integrated With CloudWatch 17b30f8f-8dfb-4597-adf6-57600b6cf25e |
Medium | Observability | CloudTrail should be integrated with CloudWatch (read more) | Documentation |
| Redshift Cluster Logging Disabled 15ffbacc-fa42-4f6f-a57d-2feac7365caa |
Medium | Observability | Make sure Logging is enabled for Redshift Cluster (read more) | Documentation |
| Default VPC Exists 96ed3526-0179-4c73-b1b2-372fde2e0d13 |
Medium | Observability | It isn't recommended to use resources in default VPC (read more) | Documentation |
| Elasticsearch Log Disabled acb6b4e2-a086-4f35-aefd-4db6ea51ada2 |
Medium | Observability | AWS Elasticsearch should have logs enabled (read more) | Documentation |
| ELB Access Log Disabled 20018359-6fd7-4d05-ab26-d4dffccbdf79 |
Medium | Observability | ELB should have logging enabled to help on error investigation (read more) | Documentation |
| CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing 56a585f5-555c-48b2-8395-e64e4740a9cf |
Medium | Observability | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more) | Documentation |
| CloudWatch AWS Organizations Changes Missing Alarm 38b85c45-e772-4de8-a247-69619ca137b3 |
Medium | Observability | Ensure a log metric filter and alarm exist for AWS organizations changes (read more) | Documentation |
| API Gateway X-Ray Disabled 5813ef56-fa94-406a-b35d-977d4a56ff2b |
Medium | Observability | API Gateway should have X-Ray Tracing enabled (read more) | Documentation |
| Cloudwatch Security Group Changes Alarm Missing 4beaf898-9f8b-4237-89e2-5ffdc7ee6006 |
Medium | Observability | Ensure a log metric filter and alarm exist for security group changes (read more) | Documentation |
| API Gateway With CloudWatch Logging Disabled 982aa526-6970-4c59-8b9b-2ce7e019fe36 |
Medium | Observability | AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more) | Documentation |
| CloudTrail SNS Topic Name Undefined 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd |
Medium | Observability | Check if SNS topic name is set for CloudTrail (read more) | Documentation |
| MQ Broker Logging Disabled 31245f98-a6a9-4182-9fc1-45482b9d030a |
Medium | Observability | Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more) | Documentation |
| No Stack Policy 2f01fb2d-828a-499d-b98e-b83747305052 |
Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more) | Documentation |
| Hardcoded AWS Access Key In Lambda 1402afd8-a95c-4e84-8b0b-6fb43758e6ce |
Medium | Secret Management | Lambda access/secret keys should not be hardcoded (read more) | Documentation |
| Hardcoded AWS Access Key d7b9d850-3e06-4a75-852f-c46c2e92240b |
Medium | Secret Management | AWS Access Key should not be hardcoded (read more) | Documentation |
| EC2 Instance Using Default Security Group f1adc521-f79a-4d71-b55b-a68294687432 |
Low | Access Control | EC2 instances should not use default security group(s) (read more) | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services bcdcbdc6-a350-4855-ae7c-d1e6436f7c97 |
Low | Access Control | IAM Policy should not grant 'AssumeRole' permission across all services. (read more) | Documentation |
| EC2 Instance Using API Keys 0b93729a-d882-4803-bdc3-ac429a21f158 |
Low | Access Control | EC2 instances should use roles to be granted access to other AWS services (read more) | Documentation |
| S3 Bucket Public ACL Overridden By Public Access Block bf878b1a-7418-4de3-b13c-3a86cf894920 |
Low | Access Control | S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more) | Documentation |
| IAM Group Without Users fc101ca7-c9dd-4198-a1eb-0fbe92e80044 |
Low | Access Control | IAM Group should have at least one user associated (read more) | Documentation |
| SSO Identity User Unsafe Creation 4003118b-046b-4640-b200-b8c7a4c8b89f |
Low | Access Control | The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more) | Documentation |
| IAM Role Allows All Principals To Assume 12b7e704-37f0-4d1e-911a-44bf60c48c21 |
Low | Access Control | IAM role allows all services or principals to assume it (read more) | Documentation |
| Autoscaling Groups Supply Tags ba48df05-eaa1-4d64-905e-4a4b051e7587 |
Low | Availability | Autoscaling groups should supply tags to configurate (read more) | Documentation |
| Lambda Permission Misconfigured 75ec6890-83af-4bf1-9f16-e83726df0bd0 |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more) | Documentation |
| CDN Configuration Is Missing 1bc367f6-901d-4870-ad0c-71d79762ef52 |
Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more) | Documentation |
| Automatic Minor Upgrades Disabled 3b6d777b-76e3-4133-80a3-0d6f667ade7f |
Low | Best Practices | RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more) | Documentation |
| ECR Repository Without Policy 69e7c320-b65d-41bb-be02-d63ecc0bcc9d |
Low | Best Practices | ECR Repository should have Policies attached to it (read more) | Documentation |
| IAM Access Analyzer Not Enabled e592a0c5-5bdb-414c-9066-5dba7cdea370 |
Low | Best Practices | IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more) | Documentation |
| Lambda IAM InvokeFunction Misconfigured 0ca1017d-3b80-423e-bb9c-6cd5898d34bd |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more) | Documentation |
| CloudTrail Log Files Not Encrypted With KMS 5d9e3164-9265-470c-9a10-57ae454ac0c7 |
Low | Encryption | Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more) | Documentation |
| ECR Repository Not Encrypted With CMK 0e32d561-4b5a-4664-a6e3-a3fa85649157 |
Low | Encryption | ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more) | Documentation |
| ALB Deletion Protection Disabled afecd1f1-6378-4f7e-bb3b-60c35801fdd4 |
Low | Insecure Configurations | Application Load Balancer should have deletion protection enabled (read more) | Documentation |
| S3 Bucket Without Ignore Public ACL 4fa66806-0dd9-4f8d-9480-3174d39c7c91 |
Low | Insecure Configurations | S3 bucket without ignore public ACL (read more) | Documentation |
| Redshift Using Default Port 41abc6cc-dde1-4217-83d3-fb5f0cc09d8f |
Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port (read more) | Documentation |
| RDS Using Default Port bca7cc4d-b3a4-4345-9461-eb69c68fcd26 |
Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more) | Documentation |
| Shield Advanced Not In Use 084c6686-2a70-4710-91b1-000393e54c12 |
Low | Networking and Firewall | AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more) | Documentation |
| CloudFront Without WAF 1419b4c6-6d5c-4534-9cf6-6a5266085333 |
Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more) | Documentation |
| EC2 Instance Using Default VPC 7e4a6e76-568d-43ef-8c4e-36dea481bff1 |
Low | Networking and Firewall | EC2 Instances should not be configured under a default VPC network (read more) | Documentation |
| ElastiCache Using Default Port 5d89db57-8b51-4b38-bb76-b9bd42bd40f0 |
Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more) | Documentation |
| EMR Without VPC 2b3c8a6d-9856-43e6-ab1d-d651094f03b4 |
Low | Networking and Firewall | Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more) | Documentation |
| ElastiCache Without VPC 8c849af7-a399-46f7-a34c-32d3dc96f1fc |
Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more) | Documentation |
| Missing Cluster Log Types 66f130d9-b81d-4e8e-9b08-da74b9c891df |
Low | Observability | Amazon EKS control plane logging don't enabled for all log types (read more) | Documentation |
| Lambda Functions Without X-Ray Tracing 8152e0cf-d2f0-47ad-96d5-d003a76eabd1 |
Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more) | Documentation |
| CloudWatch AWS Config Configuration Changes Alarm Missing 5b8d7527-de8e-4114-b9dd-9d988f1f418f |
Low | Observability | Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more) | Documentation |
| CloudWatch Network Gateways Changes Alarm Missing 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e |
Low | Observability | Ensure a log metric filter and alarm exist for network gateways changes (read more) | Documentation |
| ECS Cluster with Container Insights Disabled 97cb0688-369a-4d26-b1f7-86c4c91231bc |
Low | Observability | ECS Cluster should enable container insights (read more) | Documentation |
| DocDB Logging Is Disabled 56f6a008-1b14-4af4-b9b2-ab7cf7e27641 |
Low | Observability | DocDB logging should be enabled (read more) | Documentation |
| VPC FlowLogs Disabled f83121ea-03da-434f-9277-9cd247ab3047 |
Low | Observability | Every VPC resource should have an associated Flow Log (read more) | Documentation |
| CloudWatch VPC Changes Alarm Missing 9d0d4512-1959-43a2-a17f-72360ff06d1b |
Low | Observability | Ensure a log metric filter and alarm exist for VPC changes (read more) | Documentation |
| EKS cluster logging is not enabled 37304d3f-f852-40b8-ae3f-725e87a7cedf |
Low | Observability | Amazon EKS control plane logging is not enabled (read more) | Documentation |
| CloudTrail Log File Validation Disabled 52ffcfa6-6c70-4ea6-8376-d828d3961669 |
Low | Observability | CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more) | Documentation |
| API Gateway Deployment Without API Gateway UsagePlan Associated b3a59b8e-94a3-403e-b6e2-527abaf12034 |
Low | Observability | API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more) | Documentation |
| CloudWatch Changes To NACL Alarm Missing 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0 |
Low | Observability | Ensure a log metric filter and alarm exist for changes to NACL (read more) | Documentation |
| CloudWatch Route Table Changes Alarm Missing 2285e608-ddbc-47f3-ba54-ce7121e31216 |
Low | Observability | Ensure a log metric filter and alarm exist for route table changes (read more) | Documentation |
| Global Accelerator Flow Logs Disabled 96e8183b-e985-457b-90cd-61c0503a3369 |
Low | Observability | Global Accelerator should have flow logs enabled (read more) | Documentation |
| API Gateway Stage Without API Gateway UsagePlan Associated c999cf62-0920-40f8-8dda-0caccd66ed7e |
Low | Resource Management | API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more) | Documentation |
| Security Group Not Used 4849211b-ac39-479e-ae78-5694d506cb24 |
Info | Access Control | Security group must be used or not declared (read more) | Documentation |
| Security Group Rule Without Description cb3f5ed6-0d18-40de-a93d-b3538db31e8c |
Info | Best Practices | It's considered a best practice for AWS Security Group to have a description (read more) | Documentation |
| EC2 Not EBS Optimized 60224630-175a-472a-9e23-133827040766 |
Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more) | Documentation |
| Security Group Rule Without Description 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e |
Info | Best Practices | It's considered a best practice for all rules in AWS Security Group to have a description (read more) | Documentation |
| Resource Not Using Tags e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10 |
Info | Best Practices | AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more) | Documentation |
| DynamoDB Table Point In Time Recovery Disabled 741f1291-47ac-4a85-a07b-3d32a9d6bd3e |
Info | Best Practices | It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more) | Documentation |
| RDS Without Logging 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56 |
Info | Observability | RDS does not have any kind of logger (read more) | Documentation |
| Neptune Logging Is Disabled 45cff7b6-3b80-40c1-ba7b-2cf480678bb8 |
Info | Observability | Neptune logging should be enabled (read more) | Documentation |
| EC2 Instance Monitoring Disabled 23b70e32-032e-4fa6-ba5c-82f56b9980e6 |
Info | Observability | EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more) | Documentation |
SHARED (V2/V3)¶
Bellow are listed queries related with Terraform SHARED (V2/V3):
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Variable Without Description 2a153952-2544-4687-bcc9-cc8fea814a9b |
Info | Best Practices | All variables should contain a valid description. (read more) | Documentation |
| Variable Without Type fc5109bf-01fd-49fb-8bde-4492b543c34a |
Info | Best Practices | All variables should contain a valid type. (read more) | Documentation |
| Output Without Description 59312e8a-a64e-41e7-a252-618533dd1ea8 |
Info | Best Practices | All outputs should contain a valid description. (read more) | Documentation |
| Name Is Not Snake Case 1e434b25-8763-4b00-a5ca-ca03b7abbb66 |
Info | Best Practices | All names should follow snake case pattern. (read more) | Documentation |
| Generic Git Module Without Revision 3a81fc06-566f-492a-91dd-7448e409e2cd |
Info | Best Practices | All generic git repositories should reference a revision. (read more) | Documentation |
ALICLOUD¶
Bellow are listed queries related with Terraform ALICLOUD:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Ram Policy Admin Access Not Attached to Users Groups Roles e8e62026-da63-4904-b402-65adfe3ca975 |
High | Access Control | Ram policies with admin access should not be associated to users, groups or roles (read more) | Documentation |
| OSS Bucket Allows All Actions From All Principals ec62a32c-a297-41ca-a850-cab40b42094a |
High | Access Control | OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more) | Documentation |
| RAM Security Preference Not Enforce MFA Login dcda2d32-e482-43ee-a926-75eaabeaa4e0 |
High | Access Control | RAM Security preferences should enforce MFA login for RAM users (read more) | Documentation |
| OSS Bucket Allows Put Action From All Principals fe286195-e75c-4359-bd58-00847c4f855a |
High | Access Control | OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more) | Documentation |
| OSS Bucket Allows List Action From All Principals 88541597-6f88-42c8-bac6-7e0b855e8ff6 |
High | Access Control | OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more) | Documentation |
| OSS Bucket Public Access Enabled 62232513-b16f-4010-83d7-51d0e1d45426 |
High | Access Control | OSS Bucket should have public access disabled (read more) | Documentation |
| OSS Bucket Allows Delete Action From All Principals 8c0695d8-2378-4cd6-8243-7fd5894fa574 |
High | Access Control | OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more) | Documentation |
| Launch Template Is Not Encrypted 1455cb21-1d48-46d6-8ae3-cef911b71fd5 |
High | Encryption | ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more) | Documentation |
| NAS File System Without KMS 5f670f9d-b1b4-4c90-8618-2288f1ab9676 |
High | Encryption | NAS File System should have encryption provided by user KMS (read more) | Documentation |
| RDS Instance TDE Status Disabled 44d434ca-a9bf-4203-8828-4c81a8d5a598 |
High | Encryption | tde_status parameter should be Enabled for supported RDS instances (read more) | Documentation |
| NAS File System Not Encrypted 67bfdff1-31ce-4525-b564-e94368735360 |
High | Encryption | NAS File System must be encrypted (read more) | Documentation |
| Ecs Data Disk Kms Key Id Undefined f262118c-1ac6-4bb3-8495-cc48f1775b85 |
High | Encryption | Ecs Data Disk Kms Key Id should be set (read more) | Documentation |
| DB Instance Publicly Accessible faaefc15-51a5-419e-bb5e-51a4b5ab3485 |
High | Insecure Configurations | The field 'address' should not be set to '0.0.0.0/0' (read more) | Documentation |
| OSS Bucket Has Static Website 2b13c6ff-b87a-484d-86fd-21ef6e97d426 |
High | Insecure Configurations | Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more) | Documentation |
| RDS DB Instance Publicly Accessible 1b4565c0-4877-49ac-ab03-adebbccd42ae |
High | Insecure Configurations | '0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more) | Documentation |
| Public Security Group Rule Sensitive Port 2ae9d554-23fb-4065-bfd1-fe43d5f7c419 |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more) | Documentation |
| Public Security Group Rule All Ports or Protocols 60587dbd-6b67-432e-90f7-a8cf1892d968 |
High | Networking and Firewall | Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more) | Documentation |
| RDS Instance SSL Action Disabled 7a1ee8a9-71be-4b11-bb70-efb62d16863b |
High | Networking and Firewall | ssl_action parameter should be set to Open for RDS instances (read more) | Documentation |
| OSS Buckets Secure Transport Disabled c01d10de-c468-4790-b3a0-fc887a56f289 |
High | Networking and Firewall | OSS Buckets should have secure transport enabled (read more) | Documentation |
| OSS Bucket Ip Restriction Disabled 6107c530-7178-464a-88bc-df9cdd364ac8 |
High | Networking and Firewall | OSS Bucket should have ip restricted access (read more) | Documentation |
| ALB Listening on HTTP ee3b1557-9fb5-4685-a95d-93f1edf2a0d7 |
High | Networking and Firewall | Application Load Balancer (alb) Listener should not listen on HTTP (read more) | Documentation |
| API Gateway API Protocol Not HTTPS 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843 |
High | Networking and Firewall | API Gateway API protocol should be set to HTTPS (read more) | Documentation |
| ActionTrail Trail OSS Bucket is Publicly Accessible 69b5d7da-a5db-4db9-a42e-90b65d0efb0b |
High | Observability | ActionTrail Trail OSS Bucket should not be publicly accessible (read more) | Documentation |
| RDS Instance Events Not Logged b9c524a4-fe76-4021-a6a2-cb978fb4fde1 |
High | Observability | All RDS Instance events trackers should be 'true' (read more) | Documentation |
| Ram Account Password Policy Not Required Minimum Length a9dfec39-a740-4105-bbd6-721ba163c053 |
High | Secret Management | Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more) | Documentation |
| Ram Account Password Policy Max Login Attempts Unrecommended e76fd7ab-7333-40c6-a2d8-ea28af4a319e |
High | Secret Management | Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more) | Documentation |
| Ram Policy Attached to User 66505003-7aba-45a1-8d83-5162d5706ef5 |
Medium | Access Control | Ram policies should not be attached to users (read more) | Documentation |
| CMK Is Unusable ed6e3ba0-278f-47b6-a1f5-173576b40b7e |
Medium | Availability | Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more) | Documentation |
| ROS Stack Retention Disabled 4bb06fa1-2114-4a00-b7b5-6aeab8b896f0 |
Medium | Backup | The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more) | Documentation |
| OSS Bucket Versioning Disabled 70919c0b-2548-4e6b-8d7a-3d84ab6dabba |
Medium | Backup | OSS Bucket should have versioning enabled (read more) | Documentation |
| ROS Stack Without Template 92d65c51-5d82-4507-a2a1-d252e9706855 |
Medium | Build Process | Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more) | Documentation |
| SLB Policy With Insecure TLS Version In Use dbfc834a-56e5-4750-b5da-73fda8e73f70 |
Medium | Encryption | SLB Policy should not support insecure versions of TLS protocol (read more) | Documentation |
| OSS Bucket Encryption Using CMK Disabled f20e97f9-4919-43f1-9be9-f203cd339cdd |
Medium | Encryption | OSS Bucket should have encryption enabled using Customer Master Key (read more) | Documentation |
| Disk Encryption Disabled 39750e32-3fe9-453b-8c33-dd277acdb2cc |
Medium | Encryption | Disks should have encryption enabled (read more) | Documentation |
| CS Kubernetes Node Pool Auto Repair Disabled 81ce9394-013d-4731-8fcc-9d229b474073 |
Medium | Insecure Configurations | Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more) | Documentation |
| Public Security Group Rule Unknown Port dd706080-b7a8-47dc-81fb-3e8184430ec0 |
Medium | Networking and Firewall | A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more) | Documentation |
| Kubernetes Cluster Without Terway as CNI Network Plugin b9b7ada8-3868-4a35-854e-6100a2bb863d |
Medium | Networking and Firewall | Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more) | Documentation |
| ROS Stack Notifications Disabled 9ef08939-ea40-489c-8851-667870b2ef50 |
Medium | Observability | The ROS Stack Notifications should be defined and populated to receive stack related events (read more) | Documentation |
| Action Trail Logging For All Regions Disabled c065b98e-1515-4991-9dca-b602bd6a2fbb |
Medium | Observability | Action Trail Logging for all regions should be enabled (read more) | Documentation |
| OSS Bucket Logging Disabled 05db341e-de7d-4972-a106-3e2bd5ee53e1 |
Medium | Observability | OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more) | Documentation |
| Log Retention Is Not Greater Than 90 Days ed6cf6ff-9a1f-491c-9f88-e03c0807f390 |
Medium | Observability | OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more) | Documentation |
| RDS Instance Retention Period Not Recommended dc158941-28ce-481d-a7fa-dc80761edf46 |
Medium | Observability | RDS Instance SQL Retention Period should be greater than 180 (read more) | Documentation |
| No ROS Stack Policy 72ceb736-0aee-43ea-a191-3a69ab135681 |
Medium | Resource Management | ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more) | Documentation |
| Ram Account Password Policy Max Password Age Unrecommended 2bb13841-7575-439e-8e0a-cccd9ede2fa8 |
Medium | Secret Management | Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more) | Documentation |
| Ram Account Password Policy Not Required Numbers 063234c0-91c0-4ab5-bbd0-47ddb5f23786 |
Medium | Secret Management | Ram Account Password Policy should have 'require_numbers' set to true (read more) | Documentation |
| RAM Account Password Policy Not Require at Least one Uppercase Character 5e0fb613-ba9b-44c3-88f0-b44188466bfd |
Medium | Secret Management | Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more) | Documentation |
| RAM Account Password Policy without Reuse Prevention a8128dd2-89b0-464b-98e9-5d629041dfe0 |
Medium | Secret Management | RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more) | Documentation |
| High KMS Key Rotation Period cb319d87-b90f-485e-a7e7-f2408380f309 |
Medium | Secret Management | KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more) | Documentation |
| Ram Account Password Policy Not Require At Least one Lowercase Character 89143358-cec6-49f5-9392-920c591c669c |
Medium | Secret Management | Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more) | Documentation |
| RAM Account Password Policy Not Required Symbols 41a38329-d81b-4be4-aef4-55b2615d3282 |
Medium | Secret Management | RAM account password security should require at least one symbol (read more) | Documentation |
| OSS Bucket Transfer Acceleration Disabled 8f98334a-99aa-4d85-b72a-1399ca010413 |
Low | Availability | OSS Bucket should have transfer acceleration enabled (read more) | Documentation |
| OSS Bucket Lifecycle Rule Disabled 7db8bd7e-9772-478c-9ec5-4bc202c5686f |
Low | Backup | OSS Bucket should have lifecycle rule enabled and set to true (read more) | Documentation |
| RDS Instance Log Disconnections Disabled d53f4123-f8d8-4224-8cb3-f920b151cc98 |
Low | Observability | log_disconnections parameter should be set to ON for RDS instances (read more) | Documentation |
| VPC Flow Logs Disabled d2731f3d-a992-44ed-812e-f4f1c2747d71 |
Low | Observability | Every VPC resource should have an associated Flow Log (read more) | Documentation |
| RDS Instance Log Duration Disabled a597e05a-c065-44e7-9cc8-742f572a504a |
Low | Observability | log_duration parameter should be set to ON for RDS instances (read more) | Documentation |
| RDS Instance Log Connections Disabled 140869ea-25f2-40d4-a595-0c0da135114e |
Low | Observability | 'log_connections' parameter should be set to ON for RDS instances (read more) | Documentation |
GCP_BOM¶
Bellow are listed queries related with Terraform GCP_BOM:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| BOM - GCP SB 2f06d22c-56bd-4f73-8a51-db001fcf2150 |
Trace | Bill Of Materials | A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more) | Documentation |
| BOM - GCP FI c9d81239-c818-4869-9917-1570c62b81fd |
Trace | Bill Of Materials | A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more) | Documentation |
| BOM - GCP Redis bc75ce52-a60a-4660-b533-bce837a5019b |
Trace | Bill Of Materials | A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more) | Documentation |
| BOM - GCP PD dd7d70aa-a6ec-460d-b5d2-38b40253b16f |
Trace | Bill Of Materials | A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more) | Documentation |
| BOM - GCP Dataflow 895ed0d9-6fec-4567-8614-d7a74b599a53 |
Trace | Bill Of Materials | A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more) | Documentation |
| BOM - GCP PST 4b82202a-b18e-4891-a1eb-a0989850bbb3 |
Trace | Bill Of Materials | A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more) | Documentation |
AWS_BOM¶
Bellow are listed queries related with Terraform AWS_BOM:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| BOM - AWS MSK 051f2063-2517-4295-ad8e-ba88c1bf5cfc |
Trace | Bill Of Materials | A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more) | Documentation |
| BOM - AWS Elasticache 54229498-850b-4f78-b3a7-218d24ef2c37 |
Trace | Bill Of Materials | A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more) | Documentation |
| BOM - AWS EBS 86571149-eef3-4280-a645-01e60df854b0 |
Trace | Bill Of Materials | A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more) | Documentation |
| BOM - AWS MQ fcb1b388-f558-4b7f-9b6e-f4e98abb7380 |
Trace | Bill Of Materials | A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more) | Documentation |
| BOM - AWS DynamoDB 23edf35f-7c22-4ff9-87e6-0ca74261cfbf |
Trace | Bill Of Materials | A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more) | Documentation |
| BOM - AWS Kinesis 0e59d33e-bba2-4037-8f88-9765647ca7ad |
Trace | Bill Of Materials | A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more) | Documentation |
| BOM - AWS EFS f53f16d6-46a9-4277-9fbe-617b1e24cdca |
Trace | Bill Of Materials | A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more) | Documentation |
| BOM - AWS SNS eccc4d59-74b9-4974-86f1-74386e0c7f33 |
Trace | Bill Of Materials | A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more) | Documentation |
| BOM - AWS RDS 12933609-c5bf-44b4-9a41-a6467c3b685b |
Trace | Bill Of Materials | A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more) | Documentation |
| BOM - AWS SQS baecd2da-492a-4d59-b9dc-29540a1398e0 |
Trace | Bill Of Materials | A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more) | Documentation |
| BOM - AWS S3 Buckets 2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045 |
Trace | Bill Of Materials | A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more) | Documentation |
KUBERNETES¶
Bellow are listed queries related with Terraform KUBERNETES:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Tiller (Helm v2) Is Deployed ca2fba76-c1a7-4afd-be67-5249f861cb0e |
High | Insecure Configurations | Check if Tiller is deployed. (read more) | Documentation |
| Cluster Allows Unsafe Sysctls a9174d31-d526-4ad9-ace4-ce7ddbf52e03 |
High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more) | Documentation |
| PSP Allows Containers To Share The Host Network Namespace 4950837c-0ce5-4e42-9bee-a25eae73740b |
High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. (read more) | Documentation |
| Container Is Privileged 87065ef8-de9b-40d8-9753-f4a4303e27a4 |
High | Insecure Configurations | Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more) | Documentation |
| Not Limited Capabilities For Pod Security Policy 2acb555f-f4ad-4b1b-b984-84e6588f4b05 |
High | Insecure Configurations | Limit capabilities for a Pod Security Policy (read more) | Documentation |
| Privilege Escalation Allowed c878abb4-cca5-4724-92b9-289be68bd47c |
High | Insecure Configurations | Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more) | Documentation |
| Role Binding To Default Service Account 3360c01e-c8c0-4812-96a2-a6329b9b7f9f |
High | Insecure Defaults | No role nor cluster role should bind to a default service account (read more) | Documentation |
| Non Kube System Pod With Host Mount 86a947ea-f577-4efb-a8b0-5fc00257d521 |
Medium | Access Control | A non kube-system workload should not have hostPath mounted (read more) | Documentation |
| RBAC Roles with Read Secrets Permissions 826abb30-3cd5-4e0b-a93b-67729b4f7e63 |
Medium | Access Control | Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more) | Documentation |
| Permissive Access to Create Pods 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba |
Medium | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more) | Documentation |
| Readiness Probe Is Not Configured 8657197e-3f87-4694-892b-8144701d83c1 |
Medium | Availability | Check if Readiness Probe is not configured. (read more) | Documentation |
| Root Containers Admitted 4c415497-7410-4559-90e8-f2c8ac64ee38 |
Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more) | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 26b047a9-0329-48fd-8fb7-05bbe5ba80ee |
Medium | Build Process | Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more) | Documentation |
| Containers With Sys Admin Capabilities 3f55386d-75cd-4e9a-ac47-167b26c04724 |
Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability (read more) | Documentation |
| NET_RAW Capabilities Not Being Dropped e5587d53-a673-4a6b-b3f2-ba07ec274def |
Medium | Insecure Configurations | Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more) | Documentation |
| Containers With Added Capabilities fe771ff7-ba15-4f8f-ad7a-8aa232b49a28 |
Medium | Insecure Configurations | Containers should not have extra capabilities allowed (read more) | Documentation |
| Workload Mounting With Sensitive OS Directory a737be28-37d8-4bff-aa6d-1be8aa0a0015 |
Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory (read more) | Documentation |
| Seccomp Profile Is Not Configured 455f2e0c-686d-4fcb-8b5f-3f953f12c43c |
Medium | Insecure Configurations | Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more) | Documentation |
| PSP Set To Privileged a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9 |
Medium | Insecure Configurations | Do not allow pod to request execution as privileged. (read more) | Documentation |
| PSP With Added Capabilities 48388bd2-7201-4dcc-b56d-e8a9efa58fad |
Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities (read more) | Documentation |
| Ingress Controller Exposes Workload e2c83c1f-84d7-4467-966c-ed41fd015bb9 |
Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more) | Documentation |
| Container Runs Unmasked 0ad60203-c050-4115-83b6-b94bde92541d |
Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more) | Documentation |
| PSP Allows Privilege Escalation 2bff9906-4e9b-4f71-9346-8ebedfdf43ef |
Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation (read more) | Documentation |
| Container Host Pid Is True 587d5d82-70cf-449b-9817-f60f9bccb88c |
Medium | Insecure Configurations | Minimize the admission of containers wishing to share the host process ID namespace (read more) | Documentation |
| Default Service Account In Use 737a0dd9-0aaa-4145-8118-f01778262b8a |
Medium | Insecure Configurations | Default service accounts should not be actively used (read more) | Documentation |
| Container Resources Limits Undefined 60af03ff-a421-45c8-b214-6741035476fa |
Medium | Insecure Configurations | Kubernetes container should have resource limitations defined such as CPU and memory (read more) | Documentation |
| Using Default Namespace abcb818b-5af7-4d72-aba9-6dd84956b451 |
Medium | Insecure Configurations | The default namespace should not be used (read more) | Documentation |
| PSP Allows Sharing Host IPC 51bed0ac-a8ae-407a-895e-90c6cb0610ce |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace (read more) | Documentation |
| NET_RAW Capabilities Disabled for PSP 9aa32890-ac1a-45ee-81ca-5164e2098556 |
Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities (read more) | Documentation |
| Service Account Name Undefined Or Empty 24b132df-5cc7-4823-8029-f898e1c50b72 |
Medium | Insecure Defaults | A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more) | Documentation |
| Service Account Token Automount Not Disabled a9a13d4f-f17a-491b-b074-f54bffffcb4a |
Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary (read more) | Documentation |
| Service With External Load Balancer 2a52567c-abb8-4651-a038-52fa27c77aed |
Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more) | Documentation |
| Network Policy Is Not Targeting Any Pod b80b14c6-aaa2-4876-b651-8a48b6c32fbf |
Medium | Networking and Firewall | Check if any network policy is not targeting any pod. (read more) | Documentation |
| Memory Limits Not Defined fd097ed0-7fe6-4f58-8b71-fef9f0820a21 |
Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more) | Documentation |
| Volume Mount With OS Directory Write Permissions a62a99d1-8196-432f-8f80-3c100b05d62a |
Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more) | Documentation |
| Memory Requests Not Defined 21719347-d02b-497d-bda4-04a03c8e5b61 |
Medium | Resource Management | Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more) | Documentation |
| CPU Limits Not Set 5f4735ce-b9ba-4d95-a089-a37a767b716f |
Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more) | Documentation |
| Shared Host Network Namespace ac1564a3-c324-4747-9fa1-9dfc234dace0 |
Medium | Resource Management | Container should not share the host network namespace (read more) | Documentation |
| Shared Host IPC Namespace e94d3121-c2d1-4e34-a295-139bfeb73ea3 |
Medium | Resource Management | Container should not share the host IPC namespace (read more) | Documentation |
| CPU Requests Not Set 577ac19c-6a77-46d7-9f14-e049cdd15ec2 |
Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more) | Documentation |
| Shared Service Account f74b9c43-161a-4799-bc95-0b0ec81801b9 |
Medium | Secret Management | A Service Account token is shared between workloads (read more) | Documentation |
| Service Account Allows Access Secrets 07fc3413-e572-42f7-9877-5c8fc6fccfb5 |
Medium | Secret Management | Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more) | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 17172bc2-56fb-4f17-916f-a014147706cd |
Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) (read more) | Documentation |
| Missing App Armor Config bd6bd46c-57db-4887-956d-d372f21291b6 |
Low | Access Control | Containers should be configured with AppArmor for any application to reduce its potential attack (read more) | Documentation |
| Docker Daemon Socket is Exposed to Containers 4e203a65-c8d8-49a2-b749-b124d43c9dc1 |
Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers (read more) | Documentation |
| StatefulSet Without Service Name 420e6360-47bb-46f6-9072-b20ed22c842d |
Low | Availability | StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more) | Documentation |
| StatefulSet Without PodDisruptionBudget 7249e3b0-9231-4af3-bc5f-5daf4988ecbf |
Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more) | Documentation |
| Liveness Probe Is Not Defined 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3 |
Low | Availability | In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more) | Documentation |
| HPA Targets Invalid Object 17e52ca3-ddd0-4610-9d56-ce107442e110 |
Low | Availability | The Horizontal Pod Autoscaler must target a valid object (read more) | Documentation |
| Deployment Without PodDisruptionBudget a05331ee-1653-45cb-91e6-13637a76e4f0 |
Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more) | Documentation |
| No Drop Capabilities for Containers 21cef75f-289f-470e-8038-c7cee0664164 |
Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more) | Documentation |
| Metadata Label Is Invalid bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e |
Low | Best Practices | Check if any label in the metadata is invalid. (read more) | Documentation |
| Root Container Not Mounted As Read-only d532566b-8d9d-4f3b-80bd-361fe802f9c2 |
Low | Build Process | Check if the root container filesystem is not being mounted as read-only. (read more) | Documentation |
| StatefulSet Requests Storage fcc2612a-1dfe-46e4-8ce6-0320959f0040 |
Low | Build Process | A StatefulSet requests volume storage. (read more) | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always aa737abf-6b1d-4aba-95aa-5c160bd7f96e |
Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always (read more) | Documentation |
| Pod or Container Without Security Context ad69e38a-d92e-4357-a8da-f2f29d545883 |
Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container (read more) | Documentation |
| Image Without Digest 228c4c19-feeb-4c18-848c-800ac70fdfb7 |
Low | Insecure Configurations | Images should be specified together with their digests to ensure integrity (read more) | Documentation |
| Service Type is NodePort 5c281bf8-d9bb-47f2-b909-3f6bb11874ad |
Low | Networking and Firewall | Service type should not be NodePort (read more) | Documentation |
| Workload Host Port Not Specified 4e74cf4f-ff65-4c1a-885c-67ab608206ce |
Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified (read more) | Documentation |
| Deployment Has No PodAntiAffinity 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3 |
Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more) | Documentation |
| CronJob Deadline Not Configured 58876b44-a690-4e9f-9214-7735fa0dd15d |
Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more) | Documentation |
| Secrets As Environment Variables 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8 |
Low | Secret Management | Container should not use secrets as environment variables (read more) | Documentation |
| Invalid Image e76cca7c-c3f9-4fc9-884c-b2831168ebd8 |
Low | Supply-Chain | Image must be defined and not be empty or equal to latest. (read more) | Documentation |
GITHUB¶
Bellow are listed queries related with Terraform GITHUB:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Github Organization Webhook With SSL Disabled ce7c874e-1b88-450b-a5e4-cb76ada3c8a9 |
Medium | Encryption | Check if insecure SSL is being used in the GitHub organization webhooks (read more) | Documentation |
| GitHub Repository Set To Public 15d8a7fd-465a-4d15-a868-add86552f17b |
Medium | Insecure Configurations | Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more) | Documentation |
AZURE¶
Bellow are listed queries related with Terraform AZURE:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| Role Assignment Of Guest Users 2bc626a8-0751-446f-975d-8139214fc790 |
High | Access Control | There is a role assignment for guest user (read more) | Documentation |
| Admin User Enabled For Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51 |
High | Access Control | Admin user is enabled for Container Registry (read more) | Documentation |
| Role Assignment Not Limit Guest User Permissions 8e75e431-449f-49e9-b56a-c8f1378025cf |
High | Access Control | Role Assignment should limit guest user permissions (read more) | Documentation |
| Storage Container Is Publicly Accessible dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299 |
High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more) | Documentation |
| Function App Authentication Disabled e65a0733-94a0-4826-82f4-df529f4c593f |
High | Access Control | Azure Function App authentication settings should be enabled (read more) | Documentation |
| Public Storage Account 17f75827-0684-48f4-8747-61129c7e4198 |
High | Access Control | Storage Account should not be public to grant the principle of least privileges (read more) | Documentation |
| Geo Redundancy Is Disabled 8b042c30-e441-453f-b162-7696982ebc58 |
High | Backup | Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more) | Documentation |
| Azure Instance Using Basic Authentication dafe30ec-325d-4516-85d1-e8e6776f012c |
High | Best Practices | Azure Instances should use SSH Key instead of basic authentication (read more) | Documentation |
| App Service Not Using Latest TLS Encryption Version b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643 |
High | Encryption | Ensure App Service is using the latest version of TLS encryption (read more) | Documentation |
| MySQL SSL Connection Disabled 73e42469-3a86-4f39-ad78-098f325b4e9f |
High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more) | Documentation |
| Function App Not Using Latest TLS Encryption Version 45fc717a-bd86-415c-bdd8-677901be1aa6 |
High | Encryption | Ensure Function App is using the latest version of TLS encryption (read more) | Documentation |
| Storage Account Not Forcing HTTPS 12944ec4-1fa0-47be-8b17-42a034f937c2 |
High | Encryption | Storage Accounts should enforce the use of HTTPS (read more) | Documentation |
| SSL Enforce Disabled 0437633b-daa6-4bbc-8526-c0d2443b946e |
High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more) | Documentation |
| AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b |
High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server (read more) | Documentation |
| Azure Container Registry With No Locks a187ac47-8163-42ce-8a63-c115236be6fb |
High | Insecure Configurations | Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more) | Documentation |
| AKS Private Cluster Disabled 599318f2-6653-4569-9e21-041d06c63a89 |
High | Insecure Configurations | Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more) | Documentation |
| Redis Not Updated Regularly b947809d-dd2f-4de9-b724-04d101c515aa |
High | Insecure Configurations | Redis Cache is not configured to be updated regularly with security and operational updates (read more) | Documentation |
| Web App Accepting Traffic Other Than HTTPS 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe |
High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. (read more) | Documentation |
| Azure App Service Client Certificate Disabled a81573f9-3691-4d83-88a0-7d4af63e17a3 |
High | Insecure Configurations | Azure App Service client certificate should be enabled (read more) | Documentation |
| VM Not Attached To Network bbf6b3df-4b65-4f87-82cc-da9f30f8c033 |
High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine (read more) | Documentation |
| Network Watcher Flow Disabled b90842e5-6779-44d4-9760-972f4c03ba1c |
High | Insecure Configurations | Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more) | Documentation |
| App Service FTPS Enforce Disabled 85da374f-b00f-4832-9d44-84a1ca1e89f8 |
High | Insecure Configurations | Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more) | Documentation |
| Function App FTPS Enforce Disabled 9dab0179-433d-4dff-af8f-0091025691df |
High | Insecure Configurations | Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more) | Documentation |
| Redis Publicly Accessible 5089d055-53ff-421b-9482-a5267bdce629 |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources (read more) | Documentation |
| RDP Is Exposed To The Internet efbf6449-5ec5-4cfe-8f15-acc51e0d787c |
High | Networking and Firewall | Port 3389 (Remote Desktop) is exposed to the internet (read more) | Documentation |
| SQLServer Ingress From Any IP 25c0ea09-f1c5-4380-b055-3b83863f2bb8 |
High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more) | Documentation |
| MSSQL Server Public Network Access Enabled ade36cf4-329f-4830-a83d-9db72c800507 |
High | Networking and Firewall | MSSQL Server public network access should be disabled (read more) | Documentation |
| CosmosDB Account IP Range Filter Not Set c2a3efb6-8a58-481c-82f2-bfddf34bb4b7 |
High | Networking and Firewall | The IP range filter should be defined to secure the data stored (read more) | Documentation |
| SSH Is Exposed To The Internet 3e3c175e-aadf-4e2b-a464-3fdac5748d24 |
High | Networking and Firewall | Port 22 (SSH) is exposed to the internet (read more) | Documentation |
| Trusted Microsoft Services Not Enabled 5400f379-a347-4bdd-a032-446465fdcc6f |
High | Networking and Firewall | Trusted Microsoft Services should be enabled for Storage Account access (read more) | Documentation |
| Redis Entirely Accessible fd8da341-6760-4450-b26c-9f6d8850575e |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet (read more) | Documentation |
| Sensitive Port Is Exposed To Entire Network 594c198b-4d79-41b8-9b36-fde13348b619 |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more) | Documentation |
| MySQL Server Public Access Enabled f118890b-2468-42b1-9ce9-af35146b425b |
High | Networking and Firewall | MySQL Server public access should be disabled (read more) | Documentation |
| Vault Auditing Disabled 38c71c00-c177-4cd7-8d36-cd1007cdb190 |
High | Observability | Ensure that logging for Azure KeyVault is 'Enabled' (read more) | Documentation |
| App Service Managed Identity Disabled b61cce4b-0cc4-472b-8096-15617a6d769b |
High | Resource Management | Azure App Service should have managed identity enabled (read more) | Documentation |
| PostgreSQL Server Threat Detection Policy Disabled c407c3cf-c409-4b29-b590-db5f4138d332 |
High | Resource Management | PostgreSQL Server Threat Detection Policy should be enabled (read more) | Documentation |
| SQL Database Audit Disabled 83a229ba-483e-47c6-8db7-dc96969bce5a |
High | Resource Management | Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more) | Documentation |
| Secret Expiration Not Set dfa20ffa-f476-428f-a490-424b41e91c7f |
High | Secret Management | Make sure that for all secrets the expiration date is set (read more) | Documentation |
| Key Expiration Not Set 4d080822-5ee2-49a4-8984-68f3d4c890fc |
High | Secret Management | Make sure that for all keys the expiration date is set (read more) | Documentation |
| Storage Share File Allows All ACL Permissions 48bbe0fd-57e4-4678-a4a1-119e79c90fc3 |
Medium | Access Control | Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more) | Documentation |
| Role Definition Allows Custom Role Creation 3fa5900f-9aac-4982-96b2-a6143d9c99fb |
Medium | Access Control | Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more) | Documentation |
| Storage Table Allows All ACL Permissions 3ac3e75c-6374-4a32-8ba0-6ed69bda404e |
Medium | Access Control | Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more) | Documentation |
| AKS RBAC Disabled 86f92117-eed8-4614-9c6c-b26da20ff37f |
Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more) | Documentation |
| Virtual Network with DDoS Protection Plan disabled b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a |
Medium | Availability | Virtual Network should have DDoS Protection Plan enabled (read more) | Documentation |
| SQL Server Predictable Admin Account Name 2ab6de9a-0136-415c-be92-79d2e4fd750f |
Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more) | Documentation |
| SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450 |
Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more) | Documentation |
| Security Contact Email 34664094-59e0-4524-b69f-deaa1a68cce3 |
Medium | Best Practices | Security Contact Email should be defined (read more) | Documentation |
| Cosmos DB Account Without Tags 56dad03e-e94f-4dd6-93a4-c253a03ff7a0 |
Medium | Build Process | Cosmos DB Account must have a mapping of tags. (read more) | Documentation |
| Storage Account Not Using Latest TLS Encryption Version 8263f146-5e03-43e0-9cfe-db960d56d1e7 |
Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption (read more) | Documentation |
| AKS Disk Encryption Set ID Undefined b17d8bb8-4c08-4785-867e-cb9e62a622aa |
Medium | Encryption | Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more) | Documentation |
| Encryption On Managed Disk Disabled a99130ab-4c0e-43aa-97f8-78d4fcb30024 |
Medium | Encryption | Ensure that the encryption is active on the disk (read more) | Documentation |
| AKS Network Policy Misconfigured f5342045-b935-402d-adf1-8dbbd09c0eef |
Medium | Insecure Configurations | Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more) | Documentation |
| Security Group is Not Configured 5c822443-e1ea-46b8-84eb-758ec602e844 |
Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more) | Documentation |
| Function App Client Certificates Unrequired 9bb3c639-5edf-458c-8ee5-30c17c7d671d |
Medium | Insecure Configurations | Azure Function App should have 'client_cert_mode' set to required (read more) | Documentation |
| Redis Cache Allows Non SSL Connections e29a75e6-aba3-4896-b42d-b87818c16b58 |
Medium | Insecure Configurations | Redis Cache resources should not allow non-SSL connections (read more) | Documentation |
| Small Flow Logs Retention Period 7750fcca-dd03-4d38-b663-4b70289bcfd4 |
Medium | Insecure Configurations | Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more) | Documentation |
| Function App Managed Identity Disabled c87749b3-ff10-41f5-9df2-c421e8151759 |
Medium | Insecure Configurations | Azure Function App should have managed identity enabled (read more) | Documentation |
| Security Center Pricing Tier Is Not Standard 819d50fd-1cdf-45c3-9936-be408aaad93e |
Medium | Insecure Configurations | Make sure that the 'Standard' pricing tiers were selected. (read more) | Documentation |
| Default Azure Storage Account Network Access Is Too Permissive a5613650-32ec-4975-a305-31af783153ea |
Medium | Insecure Defaults | Default Azure Storage Account network access should be set to Deny (read more) | Documentation |
| Network Interfaces With Public IP c1573577-e494-4417-8854-7e119368dc8b |
Medium | Networking and Firewall | Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more) | Documentation |
| WAF Is Disabled For Azure Application Gateway 2e48d91c-50e4-45c8-9312-27b625868a72 |
Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more) | Documentation |
| Unrestricted SQL Server Access d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28 |
Medium | Networking and Firewall | Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more) | Documentation |
| MariaDB Server Public Network Access Enabled 7f0a8696-7159-4337-ad0d-8a3ab4a78195 |
Medium | Networking and Firewall | MariaDB Server Public Network Access should be disabled (read more) | Documentation |
| Network Interfaces IP Forwarding Enabled 4216ebac-d74c-4423-b437-35025cb88af5 |
Medium | Networking and Firewall | Network Interfaces IP Forwarding should be disabled (read more) | Documentation |
| Azure Cognitive Search Public Network Access Enabled 4a9e0f00-0765-4f72-a0d4-d31110b78279 |
Medium | Networking and Firewall | Public Network Access should be disabled for Azure Cognitive Search (read more) | Documentation |
| Sensitive Port Is Exposed To Small Public Network e9dee01f-2505-4df2-b9bf-7804d1fd9082 |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more) | Documentation |
| Firewall Rule Allows Too Many Hosts To Access Redis Cache a829b715-cf75-4e92-b645-54c9b739edfb |
Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache (read more) | Documentation |
| Sensitive Port Is Exposed To Wide Private Network c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more) | Documentation |
| MSSQL Server Auditing Disabled 609839ae-bd81-4375-9910-5bce72ae7b92 |
Medium | Observability | Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more) | Documentation |
| PostgreSQL Server Without Connection Throttling 2b3c671f-1b76-4741-8789-ed1fe0785dc4 |
Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server (read more) | Documentation |
| Small MSSQL Server Audit Retention 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc |
Medium | Observability | Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more) | Documentation |
| PostgreSQL Log Duration Not Set 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more) | Documentation |
| PostgreSQL Log Disconnections Not Set 07f7134f-9f37-476e-8664-670c218e4702 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more) | Documentation |
| Small MSSQL Audit Retention Period 9c301481-e6ec-44f7-8a49-8ec63e2969ea |
Medium | Observability | Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more) | Documentation |
| Log Retention Is Not Set ffb02aca-0d12-475e-b77c-a726f7aeff4b |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more) | Documentation |
| PostgreSQL Log Checkpoints Disabled 3790d386-be81-4dcf-9850-eaa7df6c10d9 |
Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more) | Documentation |
| SQL Server Auditing Disabled f7e296b0-6660-4bc5-8f87-22ac4a815edf |
Medium | Observability | Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more) | Documentation |
| Email Alerts Disabled 9db38e87-f6aa-4b5e-a1ec-7266df259409 |
Medium | Observability | Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more) | Documentation |
| Small PostgreSQL DB Server Log Retention Period 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606 |
Medium | Observability | Check if PostgreSQL Database Server retains logs for less than 3 Days (read more) | Documentation |
| Small Activity Log Retention Period 2b856bf9-8e8c-4005-875f-303a8cba3918 |
Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater (read more) | Documentation |
| PostgreSQL Log Connections Not Set c640d783-10c5-4071-b6c1-23507300d333 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more) | Documentation |
| Azure Active Directory Authentication a21c8da9-41bf-40cf-941d-330cf0d11fc7 |
Low | Access Control | Azure Active Directory must be used for authentication for Service Fabric (read more) | Documentation |
| MariaDB Server Geo-redundant Backup Disabled 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1 |
Low | Backup | MariaDB Server Geo-redundant Backup should be enabled (read more) | Documentation |
| App Service Without Latest PHP Version 96fe318e-d631-4156-99fa-9080d57280ae |
Low | Best Practices | Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more) | Documentation |
| Key Vault Secrets Content Type Undefined f8e08a38-fc6e-4915-abbe-a7aadf1d59ef |
Low | Best Practices | Key Vault Secrets should have set Content Type (read more) | Documentation |
| App Service Without Latest Python Version cc4aaa9d-1070-461a-b519-04e00f42db8a |
Low | Best Practices | Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more) | Documentation |
| AKS Uses Azure Policies Add-On Disabled 43789711-161b-4708-b5bb-9d1c626f7492 |
Low | Best Practices | Azure Container Service (AKS) should use Azure Policies Add-On (read more) | Documentation |
| PostgreSQL Server Infrastructure Encryption Disabled 6425c98b-ca4e-41fe-896a-c78772c131f8 |
Low | Encryption | PostgreSQL Server Infrastructure Encryption should be enabled (read more) | Documentation |
| Function App HTTP2 Disabled ace823d1-4432-4dee-945b-cdf11a5a6bd0 |
Low | Insecure Configurations | Function App should have 'http2_enabled' enabled (read more) | Documentation |
| Dashboard Is Enabled 61c3cb8b-0715-47e4-b788-86dde40dd2db |
Low | Insecure Configurations | Check if the Kubernetes Dashboard is enabled. (read more) | Documentation |
| App Service HTTP2 Disabled 525b53be-62ed-4244-b4df-41aecfcb4071 |
Low | Insecure Configurations | App Service should have 'http2_enabled' enabled (read more) | Documentation |
| Azure Front Door WAF Disabled 835a4f2f-df43-437d-9943-545ccfc55961 |
Low | Networking and Firewall | Azure Front Door WAF should be enabled (read more) | Documentation |
| App Service Authentication Disabled c7fc1481-2899-4490-bbd8-544a3a61a2f3 |
Info | Access Control | Azure App Service authentication settings should be enabled (read more) | Documentation |
| SQL Server Alert Email Disabled 55975007-f6e7-4134-83c3-298f1fe4b519 |
Info | Best Practices | SQL Server alert email should be enabled (read more) | Documentation |
GCP¶
Bellow are listed queries related with Terraform GCP:
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| OSLogin Disabled 32ecd6eb-0711-421f-9627-1a28d9eff217 |
High | Access Control | Verifies that the OSLogin is enabled (read more) | Documentation |
| Cloud Storage Anonymous or Publicly Accessible a6cd52a1-3056-4910-96a5-894de9f3f3b3 |
High | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more) | Documentation |
| BigQuery Dataset Is Public e576ce44-dd03-4022-a8c0-3906acca2ab4 |
High | Access Control | BigQuery dataset is anonymously or publicly accessible (read more) | Documentation |
| Cloud Storage Bucket Is Publicly Accessible c010082c-76e0-4b91-91d9-6e8439e455dd |
High | Access Control | Cloud Storage Bucket is anonymously or publicly accessible (read more) | Documentation |
| VM With Full Cloud Access bc280331-27b9-4acb-a010-018e8098aa5d |
High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs (read more) | Documentation |
| SQL DB Instance Backup Disabled cf3c7631-cd1e-42f3-8801-a561214a6e79 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances (read more) | Documentation |
| SQL DB Instance With SSL Disabled 02474449-71aa-40a1-87ae-e14497747b00 |
High | Encryption | Cloud SQL Database Instance should have SLL enabled (read more) | Documentation |
| DNSSEC Using RSASHA1 ccc3100c-0fdd-4a5e-9908-c10107291860 |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more) | Documentation |
| KMS Crypto Key is Publicly Accessible 16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5 |
High | Encryption | KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more) | Documentation |
| Legacy Client Certificate Auth Enabled 73fb21a1-b19a-45b1-b648-b47b1678681e |
High | Insecure Configurations | Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more) | Documentation |
| SQL DB Instance Publicly Accessible b187edca-b81e-4fdc-aff4-aab57db45edb |
High | Insecure Configurations | Cloud SQL instances should not be publicly accessible. (read more) | Documentation |
| GKE Legacy Authorization Enabled 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more) | Documentation |
| Network Policy Disabled 11e7550e-c4b6-472e-adff-c698f157cdd7 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more) | Documentation |
| Cluster Labels Disabled 65c1bc7a-4835-4ac4-a2b6-13d310b0648d |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more) | Documentation |
| Private Cluster Disabled 6ccb85d7-0420-4907-9380-50313f80946b |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more) | Documentation |
| Not Proper Email Account In Use 9356962e-4a4f-4d06-ac59-dc8008775eaa |
High | Insecure Configurations | Gmail accounts are being used instead of corporate credentials (read more) | Documentation |
| IP Aliasing Disabled c606ba1d-d736-43eb-ac24-e16108f3a9e0 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more) | Documentation |
| Pod Security Policy Disabled 9192e0f9-eca5-4056-9282-ae2a736a4088 |
High | Insecure Configurations | Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more) | Documentation |
| IAM Audit Not Properly Configured 89fe890f-b480-460c-8b6b-7d8b1468adb4 |
High | Observability | Audit Logging Configuration is defective (read more) | Documentation |
| Cloud Storage Bucket Logging Not Enabled d6cabc3a-d57e-48c2-b341-bf3dd4f4a120 |
High | Observability | Cloud storage bucket should have logging enabled (read more) | Documentation |
| Stackdriver Monitoring Disabled 30e8dfd2-3591-4d19-8d11-79e93106c93d |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more) | Documentation |
| Cloud Storage Bucket Versioning Disabled e7e961ac-d17e-4413-84bc-8a1fbe242944 |
High | Observability | Cloud Storage Bucket should have versioning enabled (read more) | Documentation |
| Stackdriver Logging Disabled 4c7ebcb2-eae2-461e-bc83-456ee2d4f694 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more) | Documentation |
| Node Auto Upgrade Disabled b139213e-7d24-49c2-8025-c18faa21ecaa |
High | Resource Management | Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more) | Documentation |
| Google Project IAM Binding Service Account has Token Creator or Account User Role 617ef6ff-711e-4bd7-94ae-e965911b1b40 |
Medium | Access Control | Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more) | Documentation |
| KMS Admin and CryptoKey Roles In Use 92e4464a-4139-4d57-8742-b5acc0347680 |
Medium | Access Control | Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more) | Documentation |
| Google Project IAM Member Service Account has Token Creator or Account User Role c68b4e6d-4e01-4ca1-b256-1e18e875785c |
Medium | Access Control | Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more) | Documentation |
| Google Project IAM Member Service Account Has Admin Role 84d36481-fd63-48cb-838e-635c44806ec2 |
Medium | Access Control | Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more) | Documentation |
| Google Compute SSL Policy Weak Cipher In Use 14a457f0-473d-4d1d-9e37-6d99b355b336 |
Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more) | Documentation |
| Disk Encryption Disabled b1d51728-7270-4991-ac2f-fc26e2695b38 |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more) | Documentation |
| Google Project Auto Create Network Disabled 59571246-3f62-4965-a96f-c7d97e269351 |
Medium | Insecure Configurations | Verifies if the Google Project Auto Create Network is Disabled (read more) | Documentation |
| COS Node Image Not Used 8a893e46-e267-485a-8690-51f39951de58 |
Medium | Insecure Configurations | The node image should be Container-Optimized OS(COS) (read more) | Documentation |
| Shielded VM Disabled 1b44e234-3d73-41a8-9954-0b154135280e |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more) | Documentation |
| OSLogin Is Disabled For VM Instance d0b4d550-c001-46c3-bbdb-d5d75d33f05f |
Medium | Insecure Configurations | Check if any VM instance disables OSLogin (read more) | Documentation |
| Google Storage Bucket Level Access Disabled bb0db090-5509-4853-a827-75ced0b3caa0 |
Medium | Insecure Configurations | Google Storage Bucket Level Access should be enabled (read more) | Documentation |
| Cloud DNS Without DNSSEC 5ef61c88-bbb4-4725-b1df-55d23c9676bb |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS (read more) | Documentation |
| Shielded GKE Nodes Disabled 579a0727-9c29-4d58-8195-fc5802a8bdb4 |
Medium | Insecure Configurations | GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more) | Documentation |
| Google Container Node Pool Auto Repair Disabled acfdbec6-4a17-471f-b412-169d77553332 |
Medium | Insecure Configurations | Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more) | Documentation |
| GKE Using Default Service Account 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38 |
Medium | Insecure Defaults | Kubernetes Engine Clusters should not be configured to use the default service account (read more) | Documentation |
| Using Default Service Account 3cb4af0b-056d-4fb1-8b95-fdc4593625ff |
Medium | Insecure Defaults | Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more) | Documentation |
| IP Forwarding Enabled f34c0c25-47b4-41eb-9c79-249b4dd47b89 |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more) | Documentation |
| Google Compute Network Using Default Firewall Rule 40abce54-95b1-478c-8e5f-ea0bf0bb0e33 |
Medium | Networking and Firewall | Google Compute Network should not use default firewall rule (read more) | Documentation |
| SSH Access Is Not Restricted c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0 |
Medium | Networking and Firewall | Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more) | Documentation |
| RDP Access Is Not Restricted 678fd659-96f2-454a-a2a0-c2571f83a4a3 |
Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more) | Documentation |
| Google Compute Network Using Firewall Rule that Allows All Ports 22ef1d26-80f8-4a6c-8c15-f35aab3cac78 |
Medium | Networking and Firewall | Google Compute Network should not use a firewall rule that allows all ports (read more) | Documentation |
| Serial Ports Are Enabled For VM Instances 97fa667a-d05b-4f16-9071-58b939f34751 |
Medium | Networking and Firewall | Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more) | Documentation |
| Google Compute Subnetwork Logging Disabled 40430747-442d-450a-a34f-dc57149f4609 |
Medium | Observability | This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more) | Documentation |
| Service Account with Improper Privileges cefdad16-0dd5-4ac5-8ed2-a37502c78672 |
Medium | Resource Management | Service account should not have improper privileges like admin, editor, owner, or write roles (read more) | Documentation |
| High Google KMS Crypto Key Rotation Period d8c57c4e-bf6f-4e32-a2bf-8643532de77b |
Medium | Secret Management | KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more) | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 3e4d5ce6-3280-4027-8010-c26eeea1ec01 |
Medium | Secret Management | VM Instance should block project-wide SSH keys (read more) | Documentation |
| Outdated GKE Version 128df7ec-f185-48bc-8913-ce756a3ccb85 |
Low | Best Practices | Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more) | Documentation |
| User with IAM Role 704fcc44-a58f-4af5-82e2-93f2a58ef918 |
Low | Best Practices | As a best practice, it is better to assign an IAM Role to a group than to a user (read more) | Documentation |
| Google Compute Network Using Firewall Rule that Allows Port Range e6f61c37-106b-449f-a5bb-81bfcaceb8b4 |
Low | Networking and Firewall | Google Compute Network should not use a firewall rule that allows port range (read more) | Documentation |
| Google Compute Subnetwork with Private Google Access Disabled ee7b93c1-b3f8-4a3b-9588-146d481814f5 |
Low | Networking and Firewall | Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more) | Documentation |