Skip to content

CloudFormation

CloudFormation Queries List

This page contains all queries from CloudFormation.

AWS

Below are listed queries related to CloudFormation AWS:

Query Severity Category More info
Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63
Critical Access Control Query details
Documentation
ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134
Critical Access Control Query details
Documentation
S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085
Critical Access Control Query details
Documentation
S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced
Critical Access Control Query details
Documentation
S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252
Critical Access Control Query details
Documentation
S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58
Critical Access Control Query details
Documentation
S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9
Critical Access Control Query details
Documentation
SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13
Critical Access Control Query details
Documentation
RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007
Critical Insecure Configurations Query details
Documentation
DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79
Critical Networking and Firewall Query details
Documentation
RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091
Critical Networking and Firewall Query details
Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7
High Access Control Query details
Documentation
ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff
High Access Control Query details
Documentation
IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368
High Access Control Query details
Documentation
Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69
High Access Control Query details
Documentation
MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab
High Access Control Query details
Documentation
Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02
High Access Control Query details
Documentation
S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170
High Access Control Query details
Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f
High Access Control Query details
Documentation
S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba
High Access Control Query details
Documentation
S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9
High Access Control Query details
Documentation
S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69
High Access Control Query details
Documentation
S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0
High Access Control Query details
Documentation
AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f
High Encryption Query details
Documentation
API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b
High Encryption Query details
Documentation
CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84
High Encryption Query details
Documentation
Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9
High Encryption Query details
Documentation
DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f
High Encryption Query details
Documentation
DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac
High Encryption Query details
Documentation
EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162
High Encryption Query details
Documentation
ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c
High Encryption Query details
Documentation
EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622
High Encryption Query details
Documentation
ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821
High Encryption Query details
Documentation
ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1
High Encryption Query details
Documentation
ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb
High Encryption Query details
Documentation
ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190
High Encryption Query details
Documentation
Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650
High Encryption Query details
Documentation
MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768
High Encryption Query details
Documentation
Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93
High Encryption Query details
Documentation
RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95
High Encryption Query details
Documentation
RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630
High Encryption Query details
Documentation
Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e
High Encryption Query details
Documentation
S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5
High Encryption Query details
Documentation
SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe
High Encryption Query details
Documentation
User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288
High Encryption Query details
Documentation
Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db
High Encryption Query details
Documentation
Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36
High Insecure Configurations Query details
Documentation
KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba
High Insecure Configurations Query details
Documentation
Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583
High Insecure Configurations Query details
Documentation
MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61
High Insecure Configurations Query details
Documentation
Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf
High Insecure Configurations Query details
Documentation
S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317
High Insecure Configurations Query details
Documentation
Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40
High Insecure Defaults Query details
Documentation
DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899
High Networking and Firewall Query details
Documentation
Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205
High Networking and Firewall Query details
Documentation
EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed
High Networking and Firewall Query details
Documentation
ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4
High Networking and Firewall Query details
Documentation
Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5
High Networking and Firewall Query details
Documentation
Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a
High Networking and Firewall Query details
Documentation
Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151
High Networking and Firewall Query details
Documentation
Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002
High Networking and Firewall Query details
Documentation
Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7
High Networking and Firewall Query details
Documentation
Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48
High Networking and Firewall Query details
Documentation
Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2
High Networking and Firewall Query details
Documentation
Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14
High Networking and Firewall Query details
Documentation
Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7
High Secret Management Query details
Documentation
Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7
High Secret Management Query details
Documentation
Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db
High Secret Management Query details
Documentation
Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69
High Secret Management Query details
Documentation
Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be
High Secret Management Query details
Documentation
Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989
High Secret Management Query details
Documentation
DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024
High Secret Management Query details
Documentation
DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d
High Secret Management Query details
Documentation
DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d
High Secret Management Query details
Documentation
Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696
High Secret Management Query details
Documentation
IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1
High Secret Management Query details
Documentation
RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189
High Secret Management Query details
Documentation
API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f
Medium Access Control Query details
Documentation
API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28
Medium Access Control Query details
Documentation
EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6
Medium Access Control Query details
Documentation
EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279
Medium Access Control Query details
Documentation
EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2
Medium Access Control Query details
Documentation
Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705
Medium Access Control Query details
Documentation
Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb
Medium Access Control Query details
Documentation
IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540
Medium Access Control Query details
Documentation
IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c
Medium Access Control Query details
Documentation
IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5
Medium Access Control Query details
Documentation
IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661
Medium Access Control Query details
Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6
Medium Access Control Query details
Documentation
IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade
Medium Access Control Query details
Documentation
IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6
Medium Access Control Query details
Documentation
IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5
Medium Access Control Query details
Documentation
IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3
Medium Access Control Query details
Documentation
KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba
Medium Access Control Query details
Documentation
Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7
Medium Access Control Query details
Documentation
Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2
Medium Access Control Query details
Documentation
S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26
Medium Access Control Query details
Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195
Medium Access Control Query details
Documentation
SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d
Medium Access Control Query details
Documentation
Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c
Medium Availability Query details
Documentation
CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602
Medium Availability Query details
Documentation
ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150
Medium Availability Query details
Documentation
RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69
Medium Availability Query details
Documentation
RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9
Medium Backup Query details
Documentation
S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54
Medium Backup Query details
Documentation
Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f
Medium Backup Query details
Documentation
DynamoDB Table Point In Time Recovery Disabled
0f04217d-488f-4e7a-bec8-f16159686cd6
Medium Best Practices Query details
Documentation
ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d
Medium Best Practices Query details
Documentation
IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f
Medium Best Practices Query details
Documentation
IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a
Medium Best Practices Query details
Documentation
Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111
Medium Encryption Query details
Documentation
CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db
Medium Encryption Query details
Documentation
Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1
Medium Encryption Query details
Documentation
CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad
Medium Encryption Query details
Documentation
Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388
Medium Encryption Query details
Documentation
Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc
Medium Encryption Query details
Documentation
EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658
Medium Encryption Query details
Documentation
ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68
Medium Encryption Query details
Documentation
ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8
Medium Encryption Query details
Documentation
ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8
Medium Encryption Query details
Documentation
EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9
Medium Encryption Query details
Documentation
IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184
Medium Encryption Query details
Documentation
KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb
Medium Encryption Query details
Documentation
Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78
Medium Encryption Query details
Documentation
S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9
Medium Encryption Query details
Documentation
SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354
Medium Encryption Query details
Documentation
Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c
Medium Encryption Query details
Documentation
SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1
Medium Encryption Query details
Documentation
API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0
Medium Insecure Configurations Query details
Documentation
API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e
Medium Insecure Configurations Query details
Documentation
API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25
Medium Insecure Configurations Query details
Documentation
CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303
Medium Insecure Configurations Query details
Documentation
ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac
Medium Insecure Configurations Query details
Documentation
ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45
Medium Insecure Configurations Query details
Documentation
EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23
Medium Insecure Configurations Query details
Documentation
GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1
Medium Insecure Configurations Query details
Documentation
IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54
Medium Insecure Configurations Query details
Documentation
Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3
Medium Insecure Configurations Query details
Documentation
S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583
Medium Insecure Configurations Query details
Documentation
S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a
Medium Insecure Configurations Query details
Documentation
S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c
Medium Insecure Configurations Query details
Documentation
SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11
Medium Insecure Configurations Query details
Documentation
Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041
Medium Insecure Defaults Query details
Documentation
ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b
Medium Networking and Firewall Query details
Documentation
ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32
Medium Networking and Firewall Query details
Documentation
API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34
Medium Networking and Firewall Query details
Documentation
API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b
Medium Networking and Firewall Query details
Documentation
CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d
Medium Networking and Firewall Query details
Documentation
EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c
Medium Networking and Firewall Query details
Documentation
EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576
Medium Networking and Firewall Query details
Documentation
EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88
Medium Networking and Firewall Query details
Documentation
EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a
Medium Networking and Firewall Query details
Documentation
EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3
Medium Networking and Firewall Query details
Documentation
Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf
Medium Networking and Firewall Query details
Documentation
ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845
Medium Networking and Firewall Query details
Documentation
ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c
Medium Networking and Firewall Query details
Documentation
GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd
Medium Networking and Firewall Query details
Documentation
HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa
Medium Networking and Firewall Query details
Documentation
SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36
Medium Networking and Firewall Query details
Documentation
Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a
Medium Networking and Firewall Query details
Documentation
Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c
Medium Networking and Firewall Query details
Documentation
Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610
Medium Networking and Firewall Query details
Documentation
Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b
Medium Networking and Firewall Query details
Documentation
Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16
Medium Networking and Firewall Query details
Documentation
Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1
Medium Networking and Firewall Query details
Documentation
Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c
Medium Networking and Firewall Query details
Documentation
TCP UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163
Medium Networking and Firewall Query details
Documentation
VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9
Medium Networking and Firewall Query details
Documentation
API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5
Medium Observability Query details
Documentation
API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941
Medium Observability Query details
Documentation
CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642
Medium Observability Query details
Documentation
CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0
Medium Observability Query details
Documentation
CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0
Medium Observability Query details
Documentation
CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf
Medium Observability Query details
Documentation
DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5
Medium Observability Query details
Documentation
EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0
Medium Observability Query details
Documentation
Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996
Medium Observability Query details
Documentation
ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028
Medium Observability Query details
Documentation
ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621
Medium Observability Query details
Documentation
GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac
Medium Observability Query details
Documentation
MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050
Medium Observability Query details
Documentation
MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b
Medium Observability Query details
Documentation
Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6
Medium Observability Query details
Documentation
S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c
Medium Observability Query details
Documentation
S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c
Medium Observability Query details
Documentation
VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b
Medium Observability Query details
Documentation
High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2
Medium Secret Management Query details
Documentation
IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e
Low Access Control Query details
Documentation
Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744
Low Access Control Query details
Documentation
EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b
Low Availability Query details
Documentation
ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528
Low Availability Query details
Documentation
VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e
Low Availability Query details
Documentation
Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d
Low Backup Query details
Documentation
RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e
Low Backup Query details
Documentation
Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281
Low Best Practices Query details
Documentation
CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2
Low Best Practices Query details
Documentation
Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc
Low Best Practices Query details
Documentation
Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195
Low Best Practices Query details
Documentation
IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da
Low Best Practices Query details
Documentation
IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1
Low Best Practices Query details
Documentation
IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512
Low Best Practices Query details
Documentation
Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa
Low Best Practices Query details
Documentation
Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd
Low Best Practices Query details
Documentation
DynamoDB With Not Recommended Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6
Low Build Process Query details
Documentation
EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162
Low Build Process Query details
Documentation
API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a
Low Encryption Query details
Documentation
CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85
Low Encryption Query details
Documentation
EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6
Low Encryption Query details
Documentation
API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d
Low Insecure Configurations Query details
Documentation
Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd
Low Insecure Configurations Query details
Documentation
Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861
Low Insecure Configurations Query details
Documentation
Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d
Low Insecure Configurations Query details
Documentation
Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46
Low Insecure Configurations Query details
Documentation
Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131
Low Insecure Configurations Query details
Documentation
RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944
Low Insecure Defaults Query details
Documentation
S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738
Low Insecure Defaults Query details
Documentation
EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e
Low Networking and Firewall Query details
Documentation
ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b
Low Networking and Firewall Query details
Documentation
ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e
Low Networking and Firewall Query details
Documentation
EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3
Low Networking and Firewall Query details
Documentation
RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b
Low Networking and Firewall Query details
Documentation
Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a
Low Networking and Firewall Query details
Documentation
Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558
Low Networking and Firewall Query details
Documentation
Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf
Low Networking and Firewall Query details
Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca
Low Observability Query details
Documentation
API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de
Low Observability Query details
Documentation
CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8
Low Observability Query details
Documentation
CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7
Low Observability Query details
Documentation
CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44
Low Observability Query details
Documentation
CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3
Low Observability Query details
Documentation
CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5
Low Observability Query details
Documentation
Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d
Low Observability Query details
Documentation
ECS Cluster with Container Insights Disabled
ab759fde-e1e8-4b0e-ad73-ba856e490ed8
Low Observability Query details
Documentation
ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd
Low Observability Query details
Documentation
ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8
Low Observability Query details
Documentation
Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c
Low Observability Query details
Documentation
Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7
Low Observability Query details
Documentation
Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35
Low Observability Query details
Documentation
API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071
Low Resource Management Query details
Documentation
ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51
Low Resource Management Query details
Documentation
SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d
Low Resource Management Query details
Documentation
VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a
Low Resource Management Query details
Documentation
EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42
Low Secret Management Query details
Documentation
Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22
Low Secret Management Query details
Documentation
SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52
Low Secret Management Query details
Documentation
EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40
Info Best Practices Query details
Documentation
Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5
Info Best Practices Query details
Documentation
EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe
Info Networking and Firewall Query details
Documentation

AWS_BOM

Below are listed queries related to CloudFormation AWS_BOM:

Query Severity Category More info
BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4
Trace Bill Of Materials Query details
Documentation
BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df
Trace Bill Of Materials Query details
Documentation
BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b
Trace Bill Of Materials Query details
Documentation
BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16
Trace Bill Of Materials Query details
Documentation
BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c
Trace Bill Of Materials Query details
Documentation
BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2
Trace Bill Of Materials Query details
Documentation
BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef
Trace Bill Of Materials Query details
Documentation
BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb
Trace Bill Of Materials Query details
Documentation
BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea
Trace Bill Of Materials Query details
Documentation
BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83
Trace Bill Of Materials Query details
Documentation
BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136
Trace Bill Of Materials Query details
Documentation
BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c
Trace Bill Of Materials Query details
Documentation

AWS_SAM

Below are listed queries related to CloudFormation AWS_SAM:

Query Severity Category More info
Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92
High Insecure Configurations Query details
Documentation
Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572
Medium Encryption Query details
Documentation
Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef
Medium Networking and Firewall Query details
Documentation
Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b
Medium Observability Query details
Documentation
Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315
Medium Observability Query details
Documentation
Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800
Low Encryption Query details
Documentation
Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79
Low Insecure Configurations Query details
Documentation
Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18
Low Insecure Configurations Query details
Documentation
Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98
Low Insecure Configurations Query details
Documentation
Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8
Low Observability Query details
Documentation