CloudFormation
CloudFormation Queries List¶
This page contains all queries from CloudFormation.
AWS¶
Below are listed queries related to CloudFormation AWS:
| Query | Severity | Category | More info |
|---|---|---|---|
| Amazon DMS Replication Instance Is Publicly Accessible 5864fb39-d719-4182-80e2-89dbe627be63 |
Critical | Access Control | Query details Documentation |
| ECR Repository Is Publicly Accessible 75be209d-1948-41f6-a8c8-e22dd0121134 |
Critical | Access Control | Query details Documentation |
| S3 Bucket Access to Any Principal 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085 |
Critical | Access Control | Query details Documentation |
| S3 Bucket ACL Allows Read Or Write to All Users 07dda8de-d90d-469e-9b37-1aca53526ced |
Critical | Access Control | Query details Documentation |
| S3 Bucket Allows Delete Action From All Principals acc78859-765e-4011-a229-a65ea57db252 |
Critical | Access Control | Query details Documentation |
| S3 Bucket Allows Put Action From All Principals f6397a20-4cf1-4540-a997-1d363c25ef58 |
Critical | Access Control | Query details Documentation |
| S3 Bucket With All Permissions 4ae8af91-5108-42cb-9471-3bdbe596eac9 |
Critical | Access Control | Query details Documentation |
| SNS Topic is Publicly Accessible ae53ce91-42b5-46bf-a84f-9a13366a4f13 |
Critical | Access Control | Query details Documentation |
| RDS DB Instance Publicly Accessible de38e1d5-54cb-4111-a868-6f7722695007 |
Critical | Insecure Configurations | Query details Documentation |
| DB Security Group With Public Scope 9564406d-e761-4e61-b8d7-5926e3ab8e79 |
Critical | Networking and Firewall | Query details Documentation |
| RDS Associated with Public Subnet 4e88adee-a8eb-4605-a78d-9fb1096e3091 |
Critical | Networking and Firewall | Query details Documentation |
| Cross-Account IAM Assume Role Policy Without ExternalId or MFA 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7 |
High | Access Control | Query details Documentation |
| ECS Service Admin Role Is Present 01986452-bdd8-4aaa-b5df-d6bf61d616ff |
High | Access Control | Query details Documentation |
| IAM Policy Grants Full Permissions f62aa827-4ade-4dc4-89e4-1433d384a368 |
High | Access Control | Query details Documentation |
| Lambda Functions With Full Privileges a0ae0a4e-712b-4115-8112-51b9eeed9d69 |
High | Access Control | Query details Documentation |
| MSK Broker Is Publicly Accessible 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab |
High | Access Control | Query details Documentation |
| Neptune Cluster With IAM Database Authentication Disabled a3aa0087-8228-4e7e-b202-dc9036972d02 |
High | Access Control | Query details Documentation |
| S3 Bucket ACL Allows Read to All Users 219f4c95-aa50-44e0-97de-cf71f4641170 |
High | Access Control | Query details Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 835d5497-a526-4aea-a23f-98a9afd1635f |
High | Access Control | Query details Documentation |
| S3 Bucket Allows Get Action From All Principals f97b7d23-568f-4bcc-9ac9-02df0d57fbba |
High | Access Control | Query details Documentation |
| S3 Bucket Allows List Action From All Principals faa8fddf-c0aa-4b2d-84ff-e993e233ebe9 |
High | Access Control | Query details Documentation |
| S3 Bucket Allows Public Policy 860ba89b-b8de-4e72-af54-d6aee4138a69 |
High | Access Control | Query details Documentation |
| S3 Bucket Allows Restore Actions From All Principals 456b00a3-1072-4149-9740-6b8bb60251b0 |
High | Access Control | Query details Documentation |
| AmazonMQ Broker Encryption Disabled 316278b3-87ac-444c-8f8f-a733a28da60f |
High | Encryption | Query details Documentation |
| API Gateway Cache Encrypted Disabled 37cca703-b74c-48ba-ac81-595b53398e9b |
High | Encryption | Query details Documentation |
| CMK Unencrypted Storage ffee2785-c347-451e-89f3-11aeb08e5c84 |
High | Encryption | Query details Documentation |
| Config Rule For Encrypted Volumes Disabled 1b6322d9-c755-4f8c-b804-32c19250f2d9 |
High | Encryption | Query details Documentation |
| DynamoDB Table Not Encrypted 4bd21e68-38c1-4d58-acdc-6a14b203237f |
High | Encryption | Query details Documentation |
| DynamoDB With Aws Owned CMK c8dee387-a2e6-4a73-a942-183c975549ac |
High | Encryption | Query details Documentation |
| EBS Volume Encryption Disabled 80b7ac3f-d2b7-4577-9b10-df7913497162 |
High | Encryption | Query details Documentation |
| ECS Cluster Not Encrypted At Rest 6c131358-c54d-419b-9dd6-1f7dd41d180c |
High | Encryption | Query details Documentation |
| EFS Not Encrypted 2ff8e83c-90e1-4d68-a300-6d652112e622 |
High | Encryption | Query details Documentation |
| ElastiCache With Disabled at Rest Encryption e4ee3903-9225-4b6a-bdfb-e62dbadef821 |
High | Encryption | Query details Documentation |
| ElasticSearch Encryption With KMS Disabled d926aa95-0a04-4abc-b20c-acf54afe38a1 |
High | Encryption | Query details Documentation |
| ElasticSearch Not Encrypted At Rest 86a248ab-0e01-4564-a82a-878303e253bb |
High | Encryption | Query details Documentation |
| ELB Using Weak Ciphers 809f77f8-d10e-4842-a84f-3be7b6ff1190 |
High | Encryption | Query details Documentation |
| Kinesis SSE Not Configured 7f65be75-90ab-4036-8c2a-410aef7bb650 |
High | Encryption | Query details Documentation |
| MSK Cluster Encryption Disabled a976d63f-af0e-46e8-b714-8c1a9c4bf768 |
High | Encryption | Query details Documentation |
| Neptune Database Cluster Encryption Disabled bf4473f1-c8a2-4b1b-8134-bd32efabab93 |
High | Encryption | Query details Documentation |
| RDS Storage Encryption Disabled 65844ba3-03a1-40a8-b3dd-919f122e8c95 |
High | Encryption | Query details Documentation |
| RDS Storage Not Encrypted 5beacce3-4020-4a3d-9e1d-a36f953df630 |
High | Encryption | Query details Documentation |
| Redshift Not Encrypted 3b316b05-564c-44a7-9c3f-405bb95e211e |
High | Encryption | Query details Documentation |
| S3 Bucket Without Server-side-encryption b2e8752c-3497-4255-98d2-e4ae5b46bbf5 |
High | Encryption | Query details Documentation |
| SageMaker Data Encryption Disabled 709e6da6-fa1f-44cc-8f17-7f25f96dadbe |
High | Encryption | Query details Documentation |
| User Data Contains Encoded Private Key 568cc372-ca64-420d-9015-ee347d00d288 |
High | Encryption | Query details Documentation |
| Workspace Without Encryption 89827c57-5a8a-49eb-9731-976a606d70db |
High | Encryption | Query details Documentation |
| Batch Job Definition With Privileged Container Properties 76ddf32c-85b1-4808-8935-7eef8030ab36 |
High | Insecure Configurations | Query details Documentation |
| KMS Key With Vulnerable Policy da905474-7454-43c0-b8d2-5756ab951aba |
High | Insecure Configurations | Query details Documentation |
| Lambda Functions Without Unique IAM Roles ae03f542-1423-402f-9cef-c834e7ee9583 |
High | Insecure Configurations | Query details Documentation |
| MQ Broker Is Publicly Accessible 68b6a789-82f8-4cfd-85de-e95332fe6a61 |
High | Insecure Configurations | Query details Documentation |
| Root Account Has Active Access Keys 4c137350-7307-4803-8c04-17c09a7a9fcf |
High | Insecure Configurations | Query details Documentation |
| S3 Static Website Host Enabled 90501b1b-cded-4cc1-9e8b-206b85cda317 |
High | Insecure Configurations | Query details Documentation |
| Permissive Web ACL Default Action 6d64f311-3da6-45f3-80f1-14db9771ea40 |
High | Insecure Defaults | Query details Documentation |
| DB Security Group Open To Large Scope 0104165b-02d5-426f-abc9-91fb48189899 |
High | Networking and Firewall | Query details Documentation |
| Default Security Groups With Unrestricted Traffic ea33fcf7-394b-4d11-a228-985c5d08f205 |
High | Networking and Firewall | Query details Documentation |
| EC2 Sensitive Port Is Publicly Exposed 494b03d3-bf40-4464-8524-7c56ad0700ed |
High | Networking and Firewall | Query details Documentation |
| ELB Sensitive Port Is Exposed To Entire Network 78055456-f670-4d2e-94d5-392d1cf4f5e4 |
High | Networking and Firewall | Query details Documentation |
| Fully Open Ingress e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5 |
High | Networking and Firewall | Query details Documentation |
| Remote Desktop Port Open To Internet c9846969-d066-431f-9b34-8c4abafe422a |
High | Networking and Firewall | Query details Documentation |
| Route53 Record Undefined 24d932e1-91f0-46ea-836f-fdbd81694151 |
High | Networking and Firewall | Query details Documentation |
| Security Group Unrestricted Access To RDP 3ae83918-7ec7-4cb8-80db-b91ef0f94002 |
High | Networking and Firewall | Query details Documentation |
| Security Groups With Exposed Admin Ports cdbb0467-2957-4a77-9992-7b55b29df7b7 |
High | Networking and Firewall | Query details Documentation |
| Security Groups With Meta IP adcd0082-e90b-4b63-862b-21899f6e6a48 |
High | Networking and Firewall | Query details Documentation |
| Unknown Port Exposed To Internet 829ce3b8-065c-41a3-ad57-e0accfea82d2 |
High | Networking and Firewall | Query details Documentation |
| Unrestricted Security Group Ingress 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14 |
High | Networking and Firewall | Query details Documentation |
| Amplify App Access Token Exposed 73980e43-f399-4fcc-a373-658228f7adf7 |
High | Secret Management | Query details Documentation |
| Amplify App Basic Auth Config Password Exposed 71493c8b-3014-404c-9802-078b74496fb7 |
High | Secret Management | Query details Documentation |
| Amplify App OAuth Token Exposed 03b38885-8f4e-480c-a0e4-12c1affd15db |
High | Secret Management | Query details Documentation |
| Amplify Branch Basic Auth Config Password Exposed dfb56e5d-ee68-446e-b32a-657b62befe69 |
High | Secret Management | Query details Documentation |
| Directory Service Microsoft AD Password Set to Plaintext or Default Ref 06b9f52a-8cd5-459b-bdc6-21a22521e1be |
High | Secret Management | Query details Documentation |
| Directory Service Simple AD Password Exposed 6685d912-d81f-4cfa-95ad-e316ea31c989 |
High | Secret Management | Query details Documentation |
| DMS Endpoint MongoDB Settings Password Exposed f988a17f-1139-46a3-8928-f27eafd8b024 |
High | Secret Management | Query details Documentation |
| DMS Endpoint Password Exposed 5f700072-b7ce-4e84-b3f3-497bf1c24a4d |
High | Secret Management | Query details Documentation |
| DocDB Cluster Master Password In Plaintext 39423ce4-9011-46cd-b6b1-009edcd9385d |
High | Secret Management | Query details Documentation |
| Hardcoded AWS Access Key In Lambda 2564172f-c92b-4261-9acd-464aed511696 |
High | Secret Management | Query details Documentation |
| IAM User LoginProfile Password Is In Plaintext 06adef8c-c284-4de7-aad2-af43b07a8ca1 |
High | Secret Management | Query details Documentation |
| RefreshToken Is Exposed 5b48c507-0d1f-41b0-a630-76817c6b4189 |
High | Secret Management | Query details Documentation |
| API Gateway Method Does Not Contains An API Key 3641d5b4-d339-4bc2-bfb9-208fe8d3477f |
Medium | Access Control | Query details Documentation |
| API Gateway Without Configured Authorizer 7fd0d461-5b8c-4815-898c-f2b4b117eb28 |
Medium | Access Control | Query details Documentation |
| EC2 Instance Has No IAM Role f914357d-8386-4d56-9ba6-456e5723f9a6 |
Medium | Access Control | Query details Documentation |
| EC2 Instance Using Default Security Group 08b81bb3-0985-4023-8602-b606ad81d279 |
Medium | Access Control | Query details Documentation |
| EC2 Network ACL Ineffective Denied Traffic 2623d682-dccb-44cd-99d0-54d9fd62f8f2 |
Medium | Access Control | Query details Documentation |
| Elasticsearch Without IAM Authentication 5c666ed9-b586-49ab-9873-c495a833b705 |
Medium | Access Control | Query details Documentation |
| Empty Roles For ECS Cluster Task Definitions 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb |
Medium | Access Control | Query details Documentation |
| IAM Group Inline Policies a58d1a2d-4078-4b80-855b-84cc3f7f4540 |
Medium | Access Control | Query details Documentation |
| IAM Group Without Users 8f957abd-9703-413d-87d3-c578950a753c |
Medium | Access Control | Query details Documentation |
| IAM Policies Attached To User edc95c10-7366-4f30-9b4b-f995c84eceb5 |
Medium | Access Control | Query details Documentation |
| IAM Policies With Full Privileges 953b3cdb-ce13-428a-aa12-318726506661 |
Medium | Access Control | Query details Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services e835bd0d-65da-49f7-b6d1-b646da8727e6 |
Medium | Access Control | Query details Documentation |
| IAM Policy On User e4239438-e639-44aa-adb8-866e400e3ade |
Medium | Access Control | Query details Documentation |
| IAM Role Allows All Principals To Assume f80e3aa7-7b34-4185-954e-440a6894dde6 |
Medium | Access Control | Query details Documentation |
| IoT Policy Allows Action as Wildcard 4d32780f-43a4-424a-a06d-943c543576a5 |
Medium | Access Control | Query details Documentation |
| IoT Policy Allows Wildcard Resource be5b230d-4371-4a28-a441-85dc760e2aa3 |
Medium | Access Control | Query details Documentation |
| KMS Allows Wildcard Principal f6049677-ec4a-43af-8779-5190b6d03cba |
Medium | Access Control | Query details Documentation |
| Lambda Permission Principal Is Wildcard 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7 |
Medium | Access Control | Query details Documentation |
| Public Lambda via API Gateway 57b12981-3816-4c31-b190-a1e614361dd2 |
Medium | Access Control | Query details Documentation |
| S3 Bucket Allows Public ACL 48f100d9-f499-4c6d-b2b8-deafe47ffb26 |
Medium | Access Control | Query details Documentation |
| SNS Topic Publicity Has Allow and NotAction Simultaneously 818f38ed-8446-4132-9c03-474d49e10195 |
Medium | Access Control | Query details Documentation |
| SQS Policy With Public Access 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d |
Medium | Access Control | Query details Documentation |
| Auto Scaling Group With No Associated ELB ad21e616-5026-4b9d-990d-5b007bfe679c |
Medium | Availability | Query details Documentation |
| CMK Is Unusable 2844c749-bd78-4cd1-90e8-b179df827602 |
Medium | Availability | Query details Documentation |
| ElastiCache Nodes Not Created Across Multi AZ cfdef2e5-1fe4-4ef4-bea8-c56e08963150 |
Medium | Availability | Query details Documentation |
| RDS Multi-AZ Deployment Disabled 2b1d4935-9acf-48a7-8466-10d18bf51a69 |
Medium | Availability | Query details Documentation |
| RDS With Backup Disabled 8c415f6f-7b90-4a27-a44a-51047e1506f9 |
Medium | Backup | Query details Documentation |
| S3 Bucket Without Versioning a227ec01-f97a-4084-91a4-47b350c1db54 |
Medium | Backup | Query details Documentation |
| Stack Retention Disabled fe974ae9-858e-4991-bbd5-e040a834679f |
Medium | Backup | Query details Documentation |
| DynamoDB Table Point In Time Recovery Disabled 0f04217d-488f-4e7a-bec8-f16159686cd6 |
Medium | Best Practices | Query details Documentation |
| ECS No Load Balancer Attached fb2b0ecf-1492-491a-a70d-ba1df579175d |
Medium | Best Practices | Query details Documentation |
| IAM Managed Policy Applied to a User 0e5872b4-19a0-4165-8b2f-56d9e14b909f |
Medium | Best Practices | Query details Documentation |
| IAM User Without Password Reset a964d6e3-8e1e-4d93-8120-61fa640dd55a |
Medium | Best Practices | Query details Documentation |
| Alexa Skill Plaintext Client Secret Exposed 3c3b7a58-b018-4d07-9444-d9ee7156e111 |
Medium | Encryption | Query details Documentation |
| CloudFormation Specifying Credentials Not Safe 9ecb6b21-18bc-4aa7-bd07-db20f1c746db |
Medium | Encryption | Query details Documentation |
| Cloudfront Viewer Protocol Policy Allows HTTP 31733ee2-fef0-4e87-9778-65da22a8ecf1 |
Medium | Encryption | Query details Documentation |
| CodeBuild Not Encrypted d7467bb6-3ed1-4c82-8095-5e7a818d0aad |
Medium | Encryption | Query details Documentation |
| Connection Between CloudFront Origin Not Encrypted a5366a50-932f-4085-896b-41402714a388 |
Medium | Encryption | Query details Documentation |
| Default KMS Key Usage e52395b4-250b-4c60-81d5-2e58c1d37abc |
Medium | Encryption | Query details Documentation |
| EFS Volume With Disabled Transit Encryption c1282e03-b285-4637-aee7-eefe3a7bb658 |
Medium | Encryption | Query details Documentation |
| ElastiCache With Disabled Transit Encryption 3b02569b-fc6f-4153-b3a3-ba91022fed68 |
Medium | Encryption | Query details Documentation |
| ELB Using Insecure Protocols 61a94903-3cd3-4780-88ec-fc918819b9c8 |
Medium | Encryption | Query details Documentation |
| ELB Without Secure Protocol 80908a75-586b-4c61-ab04-490f4f4525b8 |
Medium | Encryption | Query details Documentation |
| EMR Security Configuration Encryption Disabled 5b033ec8-f079-4323-b5c8-99d4620433a9 |
Medium | Encryption | Query details Documentation |
| IAM Database Auth Not Enabled 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184 |
Medium | Encryption | Query details Documentation |
| KMS Key Rotation Disabled 235ca980-eb71-48f4-9030-df0c371029eb |
Medium | Encryption | Query details Documentation |
| Redshift Cluster Without KMS CMK de76a0d6-66d5-45c9-9022-f05545b85c78 |
Medium | Encryption | Query details Documentation |
| S3 Bucket Without SSL In Write Actions 38c64e76-c71e-4d92-a337-60174d1de1c9 |
Medium | Encryption | Query details Documentation |
| SageMaker EndPoint Config Should Specify KmsKeyId Attribute 44034eda-1c3f-486a-831d-e09a7dd94354 |
Medium | Encryption | Query details Documentation |
| Secure Ciphers Disabled be96849c-3df6-49c2-bc16-778a7be2519c |
Medium | Encryption | Query details Documentation |
| SQS With SSE Disabled 12726829-93ed-4d51-9cbe-13423f4299e1 |
Medium | Encryption | Query details Documentation |
| API Gateway With Open Access 1056dfbb-5802-4762-bf2b-8b9b9684b1b0 |
Medium | Insecure Configurations | Query details Documentation |
| API Gateway Without Security Policy 8275fab0-68ec-4705-bbf4-86975edb170e |
Medium | Insecure Configurations | Query details Documentation |
| API Gateway Without SSL Certificate ed4c48b8-eccc-4881-95c1-09fdae23db25 |
Medium | Insecure Configurations | Query details Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 dc17ee4b-ddf2-4e23-96e8-7a36abad1303 |
Medium | Insecure Configurations | Query details Documentation |
| ECR Image Tag Not Immutable 33f41d31-86b1-46a4-81f7-9c9a671f59ac |
Medium | Insecure Configurations | Query details Documentation |
| ECS Task Definition Network Mode Not Recommended 027a4b7a-8a59-4938-a04f-ed532512cf45 |
Medium | Insecure Configurations | Query details Documentation |
| EMR Cluster Without Security Configuration 48af92a5-c89b-4936-bc62-1086fe2bab23 |
Medium | Insecure Configurations | Query details Documentation |
| GitHub Repository Set To Public 5906092d-5f74-490d-9a03-78febe0f65e1 |
Medium | Insecure Configurations | Query details Documentation |
| IAM User Has Too Many Access Keys 48677914-6fdf-40ec-80c4-2b0e94079f54 |
Medium | Insecure Configurations | Query details Documentation |
| Redshift Publicly Accessible bdf8dcb4-75df-4370-92c4-606e4ae6c4d3 |
Medium | Insecure Configurations | Query details Documentation |
| S3 Bucket With Unsecured CORS Rule 3609d27c-3698-483a-9402-13af6ae80583 |
Medium | Insecure Configurations | Query details Documentation |
| S3 Bucket Without Ignore Public ACL 6c8d51af-218d-4bfb-94a9-94eabaa0703a |
Medium | Insecure Configurations | Query details Documentation |
| S3 Bucket Without Restriction Of Public Bucket 350cd468-0e2c-44ef-9d22-cfb73a62523c |
Medium | Insecure Configurations | Query details Documentation |
| SageMaker Enabling Internet Access 88d55d94-315d-4564-beee-d2d725feab11 |
Medium | Insecure Configurations | Query details Documentation |
| Vulnerable Default SSL Certificate b4d9c12b-bfba-4aeb-9cb8-2358546d8041 |
Medium | Insecure Defaults | Query details Documentation |
| ALB Is Not Integrated With WAF 105ba098-1e34-48cd-b0f2-a8a43a51bf9b |
Medium | Networking and Firewall | Query details Documentation |
| ALB Listening on HTTP 275a3217-ca37-40c1-a6cf-bb57d245ab32 |
Medium | Networking and Firewall | Query details Documentation |
| API Gateway Endpoint Config is Not Private 4a8daf95-709d-4a36-9132-d3e19878fa34 |
Medium | Networking and Firewall | Query details Documentation |
| API Gateway without WAF fcbf9019-566c-4832-a65c-af00d8137d2b |
Medium | Networking and Firewall | Query details Documentation |
| CloudFront Without WAF 0f139403-303f-467c-96bd-e717e6cfd62d |
Medium | Networking and Firewall | Query details Documentation |
| EC2 Instance Subnet Has Public IP Mapping On Launch b3de4e4c-14be-4159-b99d-9ad194365e4c |
Medium | Networking and Firewall | Query details Documentation |
| EC2 Network ACL Overlapping Ports 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576 |
Medium | Networking and Firewall | Query details Documentation |
| EC2 Permissive Network ACL Protocols 03879981-efa2-47a0-a818-c843e1441b88 |
Medium | Networking and Firewall | Query details Documentation |
| EC2 Public Instance Exposed Through Subnet c44c95fc-ae92-4bb8-bdf8-bb9bc412004a |
Medium | Networking and Firewall | Query details Documentation |
| EKS node group remote access 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3 |
Medium | Networking and Firewall | Query details Documentation |
| Elasticsearch with HTTPS disabled 4cdc88e6-c0c8-4081-a639-bb3a557cbedf |
Medium | Networking and Firewall | Query details Documentation |
| ELB With Security Group Without Inbound Rules e200a6f3-c589-49ec-9143-7421d4a2c845 |
Medium | Networking and Firewall | Query details Documentation |
| ELB With Security Group Without Outbound Rules 01d5a458-a6c4-452a-ac50-054d59275b7c |
Medium | Networking and Firewall | Query details Documentation |
| GameLift Fleet EC2 InboundPermissions With Port Range 43356255-495d-4148-ad8d-f6af5eac09dd |
Medium | Networking and Firewall | Query details Documentation |
| HTTP Port Open To Internet ddfc4eaa-af23-409f-b96c-bf5c45dc4daa |
Medium | Networking and Firewall | Query details Documentation |
| SageMaker Notebook Not Placed In VPC 9c7028d9-04c2-45be-b8b2-1188ccaefb36 |
Medium | Networking and Firewall | Query details Documentation |
| Security Group Egress CIDR Open To World 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a |
Medium | Networking and Firewall | Query details Documentation |
| Security Group Egress With All Protocols ee464fc2-54a6-4e22-b10a-c6dcd2474d0c |
Medium | Networking and Firewall | Query details Documentation |
| Security Group Egress With Port Range dae9c373-8287-462f-8746-6f93dad93610 |
Medium | Networking and Firewall | Query details Documentation |
| Security Group Ingress With All Protocols 1a427b25-2e9e-4298-9530-0499a55e736b |
Medium | Networking and Firewall | Query details Documentation |
| Security Group Ingress With Port Range 87482183-a8e7-4e42-a566-7a23ec231c16 |
Medium | Networking and Firewall | Query details Documentation |
| Security Group With Unrestricted Access To SSH 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 |
Medium | Networking and Firewall | Query details Documentation |
| Security Groups Allows Unrestricted Outbound Traffic 66f2d8f9-a911-4ced-ae27-34f09690bb2c |
Medium | Networking and Firewall | Query details Documentation |
| TCP UDP Protocol Network ACL Entry Allows All Ports f57f849c-883b-4cb7-85e7-f7b199dff163 |
Medium | Networking and Firewall | Query details Documentation |
| VPC Without Network Firewall 3e293410-d5b8-411f-85fd-7d26294f20c9 |
Medium | Networking and Firewall | Query details Documentation |
| API Gateway Deployment Without Access Log Setting 06ec63e3-9f72-4fe2-a218-2eb9200b8db5 |
Medium | Observability | Query details Documentation |
| API Gateway V2 Stage Access Logging Settings Not Defined 80d45af4-4920-4236-a56e-b7ef419d1941 |
Medium | Observability | Query details Documentation |
| CloudFront Logging Disabled de77cd9f-0e8b-46cc-b4a4-b6b436838642 |
Medium | Observability | Query details Documentation |
| CloudTrail Logging Disabled 5c0b06d5-b7a4-484c-aeb0-75a836269ff0 |
Medium | Observability | Query details Documentation |
| CloudWatch Logging Disabled 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0 |
Medium | Observability | Query details Documentation |
| CloudWatch Metrics Disabled 5d3c1807-acb3-4bb0-be4e-0440230feeaf |
Medium | Observability | Query details Documentation |
| DocDB Logging Is Disabled 1bf3b3d4-f373-4d7c-afbb-7d85948a67a5 |
Medium | Observability | Query details Documentation |
| EC2 Instance Monitoring Disabled 0264093f-6791-4475-af34-4b8102dcbcd0 |
Medium | Observability | Query details Documentation |
| Elasticsearch Logs Disabled edbd62d4-8700-41de-b000-b3cfebb5e996 |
Medium | Observability | Query details Documentation |
| ELB Access Log Disabled ee12ad32-2863-4c0f-b13f-28272d115028 |
Medium | Observability | Query details Documentation |
| ELBv2 ALB Access Log Disabled c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621 |
Medium | Observability | Query details Documentation |
| GuardDuty Detector Disabled a25cd877-375c-4121-a640-730929936fac |
Medium | Observability | Query details Documentation |
| MQ Broker Logging Disabled e519ed6a-8328-4b69-8eb7-8fa549ac3050 |
Medium | Observability | Query details Documentation |
| MSK Cluster Logging Disabled fc7c2c15-f5d0-4b80-adb2-c89019f8f62b |
Medium | Observability | Query details Documentation |
| Redshift Cluster Logging Disabled 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6 |
Medium | Observability | Query details Documentation |
| S3 Bucket CloudTrail Logging Disabled c3ce69fd-e3df-49c6-be78-1db3f802261c |
Medium | Observability | Query details Documentation |
| S3 Bucket Logging Disabled 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c |
Medium | Observability | Query details Documentation |
| VPC FlowLogs Disabled f6d299d2-21eb-41cc-b1e1-fe12d857500b |
Medium | Observability | Query details Documentation |
| High Access Key Rotation Period 800fa019-49dd-421b-9042-7331fdd83fa2 |
Medium | Secret Management | Query details Documentation |
| IAM User With No Group 06933df4-0ea7-461c-b9b5-104d27390e0e |
Low | Access Control | Query details Documentation |
| Support Has No Role Associated d71b5fd7-9020-4b2d-9ec8-b3839faa2744 |
Low | Access Control | Query details Documentation |
| EBS Volume Not Attached To Instances 1819ac03-542b-4026-976b-f37addd59f3b |
Low | Availability | Query details Documentation |
| ECS Service Without Running Tasks 79d745f0-d5f3-46db-9504-bef73e9fd528 |
Low | Availability | Query details Documentation |
| VPC Attached With Too Many Gateways 97e94d17-e2c7-4109-a53b-6536ac1bb64e |
Low | Availability | Query details Documentation |
| Low RDS Backup Retention Period e649a218-d099-4550-86a4-1231e1fcb60d |
Low | Backup | Query details Documentation |
| RDS DB Instance With Deletion Protection Disabled 2c161e58-cb52-454f-abea-6470c37b5e6e |
Low | Backup | Query details Documentation |
| Automatic Minor Upgrades Disabled f0104061-8bfc-4b45-8a7d-630eb502f281 |
Low | Best Practices | Query details Documentation |
| CDN Configuration Is Missing e4f54ff4-d352-40e8-a096-5141073c37a2 |
Low | Best Practices | Query details Documentation |
| Cognito UserPool Without MFA 74a18d1a-cf02-4a31-8791-ed0967ad7fdc |
Low | Best Practices | Query details Documentation |
| Geo Restriction Disabled 7f8843f0-9ea5-42b4-a02b-753055113195 |
Low | Best Practices | Query details Documentation |
| IAM Access Analyzer Not Enabled 8d29754a-2a18-460d-a1ba-9509f8d359da |
Low | Best Practices | Query details Documentation |
| IAM Password Without Minimum Length b1b20ae3-8fa7-4af5-a74d-a2145920fcb1 |
Low | Best Practices | Query details Documentation |
| IAM Policies Without Groups 5e7acff5-095b-40ac-9073-ac2e4ad8a512 |
Low | Best Practices | Query details Documentation |
| Lambda Permission Misconfigured 9b83114b-b2a1-4534-990d-06da015e47aa |
Low | Best Practices | Query details Documentation |
| Security Group Ingress Has CIDR Not Recommended a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd |
Low | Best Practices | Query details Documentation |
| DynamoDB With Not Recommended Table Billing Mode c333e906-8d8b-4275-b999-78b6318f8dc6 |
Low | Build Process | Query details Documentation |
| EFS Without Tags 08e39832-5e42-4304-98a0-aa5b43393162 |
Low | Build Process | Query details Documentation |
| API Gateway With Invalid Compression d6653eee-2d4d-4e6a-976f-6794a497999a |
Low | Encryption | Query details Documentation |
| CloudTrail Log Files Not Encrypted With KMS 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85 |
Low | Encryption | Query details Documentation |
| EFS Without KMS 6d087495-2a42-4735-abf7-02ef5660a7e6 |
Low | Encryption | Query details Documentation |
| API Gateway Cache Cluster Disabled 52790cad-d60d-41d5-8483-146f9f21208d |
Low | Insecure Configurations | Query details Documentation |
| Inline Policies Are Attached To ECS Service 9e8c89b3-7997-4d15-93e4-7911b9db99fd |
Low | Insecure Configurations | Query details Documentation |
| Instance With No VPC 8a6d36cd-0bc6-42b7-92c4-67acc8576861 |
Low | Insecure Configurations | Query details Documentation |
| Lambda Function Without Dead Letter Queue c2eae442-d3ba-4cb1-84ca-1db4f80eae3d |
Low | Insecure Configurations | Query details Documentation |
| Lambda Function Without Tags 8df8e857-bd59-44fa-9f4c-d77594b95b46 |
Low | Insecure Configurations | Query details Documentation |
| Wildcard In ACM Certificate Domain Name cc8b294f-006f-4f8f-b5bb-0a9140c33131 |
Low | Insecure Configurations | Query details Documentation |
| RouterTable with Default Routing 4f0908b9-eb66-433f-9145-134274e1e944 |
Low | Insecure Defaults | Query details Documentation |
| S3 Bucket Should Have Bucket Policy 37fa8188-738b-42c8-bf82-6334ea567738 |
Low | Insecure Defaults | Query details Documentation |
| EC2 Instance Using Default VPC e42a3ef0-5325-4667-84bf-075ba1c9d58e |
Low | Networking and Firewall | Query details Documentation |
| ElastiCache Using Default Port 323db967-c68e-44e6-916c-a777f95af34b |
Low | Networking and Firewall | Query details Documentation |
| ElastiCache Without VPC ba766c53-fe71-4bbb-be35-b6803f2ef13e |
Low | Networking and Firewall | Query details Documentation |
| EMR Without VPC bf89373a-be40-4c04-99f5-746742dfd7f3 |
Low | Networking and Firewall | Query details Documentation |
| RDS Using Default Port 1fe9d958-ddce-4228-a124-05265a959a8b |
Low | Networking and Firewall | Query details Documentation |
| Redshift Using Default Port a478af30-8c3a-404d-aa64-0b673cee509a |
Low | Networking and Firewall | Query details Documentation |
| Security Groups Without VPC Attached 493d9591-6249-47bf-8dc0-5c10161cc558 |
Low | Networking and Firewall | Query details Documentation |
| Shield Advanced Not In Use ad7444cf-817a-4765-a79e-2145f7981faf |
Low | Networking and Firewall | Query details Documentation |
| API Gateway Deployment Without API Gateway UsagePlan Associated 783860a3-6dca-4c8b-81d0-7b62769ccbca |
Low | Observability | Query details Documentation |
| API Gateway X-Ray Disabled 4ab10c48-bedb-4deb-8f3b-ff12783b61de |
Low | Observability | Query details Documentation |
| CloudTrail Log File Validation Disabled 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8 |
Low | Observability | Query details Documentation |
| CloudTrail Multi Region Disabled 058ac855-989f-4378-ba4d-52d004020da7 |
Low | Observability | Query details Documentation |
| CloudTrail Not Integrated With CloudWatch 65d07da5-9af5-44df-8983-52d2e6f24c44 |
Low | Observability | Query details Documentation |
| CloudTrail SNS Topic Name Undefined 3e09413f-471e-40f3-8626-990c79ae63f3 |
Low | Observability | Query details Documentation |
| CMK Rotation Disabled 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5 |
Low | Observability | Query details Documentation |
| Configuration Aggregator to All Regions Disabled 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d |
Low | Observability | Query details Documentation |
| ECS Cluster with Container Insights Disabled ab759fde-e1e8-4b0e-ad73-ba856e490ed8 |
Low | Observability | Query details Documentation |
| ECS Task Definition HealthCheck Missing d24389b4-b209-4ff0-8345-dc7a4569dcdd |
Low | Observability | Query details Documentation |
| ElasticSearch Without Slow Logs 086ea2eb-14a6-4fd4-914b-38e0bc8703e8 |
Low | Observability | Query details Documentation |
| Lambda Functions Without X-Ray Tracing 9488c451-074e-4cd3-aee3-7db6104f542c |
Low | Observability | Query details Documentation |
| Stack Notifications Disabled 837e033c-4717-40bd-807e-6abaa30161b7 |
Low | Observability | Query details Documentation |
| Unscanned ECR Image 9025b2b3-e554-4842-ba87-db7aeec36d35 |
Low | Observability | Query details Documentation |
| API Gateway Stage Without API Gateway UsagePlan Associated 7f8f1b60-43df-4c28-aa21-fb836dbd8071 |
Low | Resource Management | Query details Documentation |
| ECS Task Definition Invalid CPU or Memory f4c9b5f5-68b8-491f-9e48-4f96644a1d51 |
Low | Resource Management | Query details Documentation |
| SDB Domain Declared As A Resource 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d |
Low | Resource Management | Query details Documentation |
| VPC Without Attached Subnet 3b3b4411-ad1f-40e7-b257-a78a6bb9673a |
Low | Resource Management | Query details Documentation |
| EBS Volume Without KmsKeyId b7063015-6c31-4658-a8e7-14f98f37fd42 |
Low | Secret Management | Query details Documentation |
| Secrets Manager Should Specify KmsKeyId c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22 |
Low | Secret Management | Query details Documentation |
| SNS Topic Without KmsMasterKeyId 9d13b150-a2ab-42a1-b6f4-142e41f81e52 |
Low | Secret Management | Query details Documentation |
| EC2 Not EBS Optimized 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40 |
Info | Best Practices | Query details Documentation |
| Security Group Rule Without Description 5e6c9c68-8a82-408e-8749-ddad78cbb9c5 |
Info | Best Practices | Query details Documentation |
| EC2 Network ACL Duplicate Rule 045ddb54-cfc5-4abb-9e05-e427b2bc96fe |
Info | Networking and Firewall | Query details Documentation |
AWS_BOM¶
Below are listed queries related to CloudFormation AWS_BOM:
| Query | Severity | Category | More info |
|---|---|---|---|
| BOM - AWS Cassandra 124b173b-e06d-48a6-8acd-f889443d97a4 |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS DynamoDB 4e67c0ae-38a0-47f4-a50c-f0c9b75826df |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS EBS 0b0556ea-9cd9-476f-862e-20679dda752b |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS EFS ef05a925-8568-4054-8ff1-f5ba82631c16 |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS Elasticache c689f51b-9203-43b3-9d8b-caed123f706c |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS Kinesis d53323be-dde6-4457-9a43-42df737e71d2 |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS MQ 209189f3-c879-48a7-9703-fbcfa96d0cef |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS MSK 2730c169-51d7-4ae7-99b5-584379eff1bb |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS RDS 6ef03ff6-a2bd-483c-851f-631f248bc0ea |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS S3 Buckets b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83 |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS SNS 42e7dca3-8cce-4325-8df0-108888259136 |
Trace | Bill Of Materials | Query details Documentation |
| BOM - AWS SQS 59a849c2-1127-4023-85a5-ef906dcd458c |
Trace | Bill Of Materials | Query details Documentation |
AWS_SAM¶
Below are listed queries related to CloudFormation AWS_SAM:
| Query | Severity | Category | More info |
|---|---|---|---|
| Serverless Function Without Unique IAM Role 4ba74f01-aba5-4be2-83bc-be79ff1a3b92 |
High | Insecure Configurations | Query details Documentation |
| Serverless Function Environment Variables Not Encrypted a7f8ac28-eed1-483d-87c8-4c325f022572 |
Medium | Encryption | Query details Documentation |
| Serverless API Endpoint Config Not Private 6b5b0313-771b-4319-ad7a-122ee78700ef |
Medium | Networking and Firewall | Query details Documentation |
| Serverless API Access Logging Setting Undefined 0a994e04-c6dc-471d-817e-d37451d18a3b |
Medium | Observability | Query details Documentation |
| Serverless API X-Ray Tracing Disabled c757c6a3-ac87-4b9d-b28d-e5a5add6a315 |
Medium | Observability | Query details Documentation |
| Serverless API Without Content Encoding a2f2800e-614b-4bc8-89e6-fec8afd24800 |
Low | Encryption | Query details Documentation |
| Serverless API Cache Cluster Disabled 60a05ede-0a68-4d0d-a58f-f538cf55ff79 |
Low | Insecure Configurations | Query details Documentation |
| Serverless Function Without Dead Letter Queue cb2f612b-ed42-4ff5-9fb9-255c73d39a18 |
Low | Insecure Configurations | Query details Documentation |
| Serverless Function Without Tags a71ecabe-03b6-456a-b3bc-d1a39aa20c98 |
Low | Insecure Configurations | Query details Documentation |
| Serverless Function Without X-Ray Tracing dc1ab429-1481-4540-9b1d-280e3f15f1f8 |
Low | Observability | Query details Documentation |