Terraform

Terraform Queries List¶

This page contains all queries from Terraform.

ALICLOUD¶

Below are listed queries related to Terraform ALICLOUD:

Query	Severity	Category	More info
OSS Bucket Allows All Actions From All Principals ^{_{ec62a32c-a297-41ca-a850-cab40b42094a}}	Critical	Access Control	Query details Documentation
OSS Bucket Allows Delete Action From All Principals ^{_{8c0695d8-2378-4cd6-8243-7fd5894fa574}}	Critical	Access Control	Query details Documentation
OSS Bucket Allows Put Action From All Principals ^{_{fe286195-e75c-4359-bd58-00847c4f855a}}	Critical	Access Control	Query details Documentation
RDS DB Instance Publicly Accessible ^{_{faaefc15-51a5-419e-bb5e-51a4b5ab3485}}	Critical	Insecure Configurations	Query details Documentation
OSS Bucket Allows List Action From All Principals ^{_{88541597-6f88-42c8-bac6-7e0b855e8ff6}}	High	Access Control	Query details Documentation
OSS Bucket Public Access Enabled ^{_{62232513-b16f-4010-83d7-51d0e1d45426}}	High	Access Control	Query details Documentation
Ecs Data Disk Kms Key Id Undefined ^{_{f262118c-1ac6-4bb3-8495-cc48f1775b85}}	High	Encryption	Query details Documentation
Launch Template Is Not Encrypted ^{_{1455cb21-1d48-46d6-8ae3-cef911b71fd5}}	High	Encryption	Query details Documentation
NAS File System Not Encrypted ^{_{67bfdff1-31ce-4525-b564-e94368735360}}	High	Encryption	Query details Documentation
NAS File System Without KMS ^{_{5f670f9d-b1b4-4c90-8618-2288f1ab9676}}	High	Encryption	Query details Documentation
RDS Instance TDE Status Disabled ^{_{44d434ca-a9bf-4203-8828-4c81a8d5a598}}	High	Encryption	Query details Documentation
OSS Bucket Has Static Website ^{_{2b13c6ff-b87a-484d-86fd-21ef6e97d426}}	High	Insecure Configurations	Query details Documentation
OSS Bucket Ip Restriction Disabled ^{_{6107c530-7178-464a-88bc-df9cdd364ac8}}	High	Networking and Firewall	Query details Documentation
Public Security Group Rule All Ports or Protocols ^{_{60587dbd-6b67-432e-90f7-a8cf1892d968}}	High	Networking and Firewall	Query details Documentation
Public Security Group Rule Sensitive Port ^{_{2ae9d554-23fb-4065-bfd1-fe43d5f7c419}}	High	Networking and Firewall	Query details Documentation
Public Security Group Rule Unknown Port ^{_{dd706080-b7a8-47dc-81fb-3e8184430ec0}}	High	Networking and Firewall	Query details Documentation
ActionTrail Trail OSS Bucket is Publicly Accessible ^{_{69b5d7da-a5db-4db9-a42e-90b65d0efb0b}}	High	Observability	Query details Documentation
Ram Policy Admin Access Not Attached to Users Groups Roles ^{_{e8e62026-da63-4904-b402-65adfe3ca975}}	Medium	Access Control	Query details Documentation
Ram Policy Attached to User ^{_{66505003-7aba-45a1-8d83-5162d5706ef5}}	Medium	Access Control	Query details Documentation
CMK Is Unusable ^{_{ed6e3ba0-278f-47b6-a1f5-173576b40b7e}}	Medium	Availability	Query details Documentation
OSS Bucket Versioning Disabled ^{_{70919c0b-2548-4e6b-8d7a-3d84ab6dabba}}	Medium	Backup	Query details Documentation
ROS Stack Retention Disabled ^{_{4bb06fa1-2114-4a00-b7b5-6aeab8b896f0}}	Medium	Backup	Query details Documentation
ROS Stack Without Template ^{_{92d65c51-5d82-4507-a2a1-d252e9706855}}	Medium	Build Process	Query details Documentation
Disk Encryption Disabled ^{_{39750e32-3fe9-453b-8c33-dd277acdb2cc}}	Medium	Encryption	Query details Documentation
OSS Bucket Encryption Using CMK Disabled ^{_{f20e97f9-4919-43f1-9be9-f203cd339cdd}}	Medium	Encryption	Query details Documentation
SLB Policy With Insecure TLS Version In Use ^{_{dbfc834a-56e5-4750-b5da-73fda8e73f70}}	Medium	Encryption	Query details Documentation
CS Kubernetes Node Pool Auto Repair Disabled ^{_{81ce9394-013d-4731-8fcc-9d229b474073}}	Medium	Insecure Configurations	Query details Documentation
RDS DB Instance Publicly Accessible ^{_{1b4565c0-4877-49ac-ab03-adebbccd42ae}}	Medium	Insecure Configurations	Query details Documentation
ALB Listening on HTTP ^{_{ee3b1557-9fb5-4685-a95d-93f1edf2a0d7}}	Medium	Networking and Firewall	Query details Documentation
API Gateway API Protocol Not HTTPS ^{_{1bcdf9f0-b1aa-40a4-b8c6-cd7785836843}}	Medium	Networking and Firewall	Query details Documentation
OSS Buckets Secure Transport Disabled ^{_{c01d10de-c468-4790-b3a0-fc887a56f289}}	Medium	Networking and Firewall	Query details Documentation
RDS Instance SSL Action Disabled ^{_{7a1ee8a9-71be-4b11-bb70-efb62d16863b}}	Medium	Networking and Firewall	Query details Documentation
Action Trail Logging For All Regions Disabled ^{_{c065b98e-1515-4991-9dca-b602bd6a2fbb}}	Medium	Observability	Query details Documentation
OSS Bucket Logging Disabled ^{_{05db341e-de7d-4972-a106-3e2bd5ee53e1}}	Medium	Observability	Query details Documentation
RDS Instance Events Not Logged ^{_{b9c524a4-fe76-4021-a6a2-cb978fb4fde1}}	Medium	Observability	Query details Documentation
RDS Instance Log Connections Disabled ^{_{140869ea-25f2-40d4-a595-0c0da135114e}}	Medium	Observability	Query details Documentation
RDS Instance Log Disconnections Disabled ^{_{d53f4123-f8d8-4224-8cb3-f920b151cc98}}	Medium	Observability	Query details Documentation
RDS Instance Log Duration Disabled ^{_{a597e05a-c065-44e7-9cc8-742f572a504a}}	Medium	Observability	Query details Documentation
VPC Flow Logs Disabled ^{_{d2731f3d-a992-44ed-812e-f4f1c2747d71}}	Medium	Observability	Query details Documentation
No ROS Stack Policy ^{_{72ceb736-0aee-43ea-a191-3a69ab135681}}	Medium	Resource Management	Query details Documentation
High KMS Key Rotation Period ^{_{cb319d87-b90f-485e-a7e7-f2408380f309}}	Medium	Secret Management	Query details Documentation
Ram Account Password Policy Max Login Attempts Unrecommended ^{_{e76fd7ab-7333-40c6-a2d8-ea28af4a319e}}	Medium	Secret Management	Query details Documentation
Ram Account Password Policy Max Password Age Unrecommended ^{_{2bb13841-7575-439e-8e0a-cccd9ede2fa8}}	Medium	Secret Management	Query details Documentation
RAM Account Password Policy without Reuse Prevention ^{_{a8128dd2-89b0-464b-98e9-5d629041dfe0}}	Medium	Secret Management	Query details Documentation
RAM Security Preference Not Enforce MFA Login ^{_{dcda2d32-e482-43ee-a926-75eaabeaa4e0}}	Low	Access Control	Query details Documentation
OSS Bucket Transfer Acceleration Disabled ^{_{8f98334a-99aa-4d85-b72a-1399ca010413}}	Low	Availability	Query details Documentation
OSS Bucket Lifecycle Rule Disabled ^{_{7db8bd7e-9772-478c-9ec5-4bc202c5686f}}	Low	Backup	Query details Documentation
Kubernetes Cluster Without Terway as CNI Network Plugin ^{_{b9b7ada8-3868-4a35-854e-6100a2bb863d}}	Low	Networking and Firewall	Query details Documentation
Log Retention Is Not Greater Than 90 Days ^{_{ed6cf6ff-9a1f-491c-9f88-e03c0807f390}}	Low	Observability	Query details Documentation
RDS Instance Retention Period Not Recommended ^{_{dc158941-28ce-481d-a7fa-dc80761edf46}}	Low	Observability	Query details Documentation
ROS Stack Notifications Disabled ^{_{9ef08939-ea40-489c-8851-667870b2ef50}}	Low	Observability	Query details Documentation
Ram Account Password Policy Not Require At Least one Lowercase Character ^{_{89143358-cec6-49f5-9392-920c591c669c}}	Low	Secret Management	Query details Documentation
RAM Account Password Policy Not Require at Least one Uppercase Character ^{_{5e0fb613-ba9b-44c3-88f0-b44188466bfd}}	Low	Secret Management	Query details Documentation
Ram Account Password Policy Not Required Minimum Length ^{_{a9dfec39-a740-4105-bbd6-721ba163c053}}	Low	Secret Management	Query details Documentation
Ram Account Password Policy Not Required Numbers ^{_{063234c0-91c0-4ab5-bbd0-47ddb5f23786}}	Low	Secret Management	Query details Documentation
RAM Account Password Policy Not Required Symbols ^{_{41a38329-d81b-4be4-aef4-55b2615d3282}}	Low	Secret Management	Query details Documentation

AWS¶

Below are listed queries related to Terraform AWS:

Query	Severity	Category	More info
Amazon DMS Replication Instance Is Publicly Accessible ^{_{030d3b18-1821-45b4-9e08-50efbe7becbb}}	Critical	Access Control	Query details Documentation
ECR Repository Is Publicly Accessible ^{_{e86e26fc-489e-44f0-9bcd-97305e4ba69a}}	Critical	Access Control	Query details Documentation
S3 Bucket Access to Any Principal ^{_{7af43613-6bb9-4a0e-8c4d-1314b799425e}}	Critical	Access Control	Query details Documentation
S3 Bucket ACL Allows Read Or Write to All Users ^{_{38c5ee0d-7f22-4260-ab72-5073048df100}}	Critical	Access Control	Query details Documentation
S3 Bucket ACL Grants WRITE_ACP Permission ^{_{64a222aa-7793-4e40-915f-4b302c76e4d4}}	Critical	Access Control	Query details Documentation
S3 Bucket Allows Delete Action From All Principals ^{_{ffdf4b37-7703-4dfe-a682-9d2e99bc6c09}}	Critical	Access Control	Query details Documentation
S3 Bucket Allows Put Action From All Principals ^{_{d24c0755-c028-44b1-b503-8e719c898832}}	Critical	Access Control	Query details Documentation
S3 Bucket With All Permissions ^{_{a4966c4f-9141-48b8-a564-ffe9959945bc}}	Critical	Access Control	Query details Documentation
SNS Topic is Publicly Accessible ^{_{b26d2b7e-60f6-413d-a3a1-a57db24aa2b3}}	Critical	Access Control	Query details Documentation
RDS DB Instance Publicly Accessible ^{_{35113e6f-2c6b-414d-beec-7a9482d3b2d1}}	Critical	Insecure Configurations	Query details Documentation
DB Security Group With Public Scope ^{_{1e0ef61b-ad85-4518-a3d3-85eaad164885}}	Critical	Networking and Firewall	Query details Documentation
RDS Associated with Public Subnet ^{_{2f737336-b18a-4602-8ea0-b200312e1ac1}}	Critical	Networking and Firewall	Query details Documentation
CloudWatch Unauthorized Access Alarm Missing ^{_{4c18a45b-4ab1-4790-9f83-399ac695f1e5}}	Critical	Observability	Query details Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA ^{_{09c35abf-5852-4622-ac7a-b987b331232e}}	High	Access Control	Query details Documentation
ECS Service Admin Role Is Present ^{_{3206240f-2e87-4e58-8d24-3e19e7c83d7c}}	High	Access Control	Query details Documentation
IAM Policy Grants Full Permissions ^{_{575a2155-6af1-4026-b1af-d5bc8fe2a904}}	High	Access Control	Query details Documentation
IAM Role With Full Privileges ^{_{b1ffa705-19a3-4b73-b9d0-0c97d0663842}}	High	Access Control	Query details Documentation
Lambda With Vulnerable Policy ^{_{ad9dabc7-7839-4bae-a957-aa9120013f39}}	High	Access Control	Query details Documentation
MSK Broker Is Publicly Accessible ^{_{54378d69-dd7c-4b08-a43e-80d563396857}}	High	Access Control	Query details Documentation
Neptune Cluster Instance is Publicly Accessible ^{_{9ba198e0-fef4-464a-8a4d-75ea55300de7}}	High	Access Control	Query details Documentation
Neptune Cluster With IAM Database Authentication Disabled ^{_{c91d7ea0-d4d1-403b-8fe1-c9961ac082c5}}	High	Access Control	Query details Documentation
S3 Bucket ACL Allows Read to Any Authenticated User ^{_{57b9893d-33b1-4419-bcea-a717ea87e139}}	High	Access Control	Query details Documentation
S3 Bucket Allows Get Action From All Principals ^{_{1df37f4b-7197-45ce-83f8-9994d2fcf885}}	High	Access Control	Query details Documentation
S3 Bucket Allows List Action From All Principals ^{_{66c6f96f-2d9e-417e-a998-9058aeeecd44}}	High	Access Control	Query details Documentation
S3 Bucket Allows Public Policy ^{_{1a4bc881-9f69-4d44-8c9a-d37d08f54c50}}	High	Access Control	Query details Documentation
S3 Bucket Public ACL Overridden By Public Access Block ^{_{bf878b1a-7418-4de3-b13c-3a86cf894920}}	High	Access Control	Query details Documentation
Secrets Manager With Vulnerable Policy ^{_{fa00ce45-386d-4718-8392-fb485e1f3c5b}}	High	Access Control	Query details Documentation
SES Policy With Allowed IAM Actions ^{_{34b921bd-90a0-402e-a0a5-dc73371fd963}}	High	Access Control	Query details Documentation
SQS Policy Allows All Actions ^{_{816ea8cf-d589-442d-a917-2dd0ce0e45e3}}	High	Access Control	Query details Documentation
SQS Queue Exposed ^{_{abb06e5f-ef9a-4a99-98c6-376d396bfcdf}}	High	Access Control	Query details Documentation
AmazonMQ Broker Encryption Disabled ^{_{3db3f534-e3a3-487f-88c7-0a9fbf64b702}}	High	Encryption	Query details Documentation
API Gateway Method Settings Cache Not Encrypted ^{_{b7c9a40c-23e4-4a2d-8d39-a3352f10f288}}	High	Encryption	Query details Documentation
Athena Database Not Encrypted ^{_{b2315cae-b110-4426-81e0-80bb8640cdd3}}	High	Encryption	Query details Documentation
Athena Workgroup Not Encrypted ^{_{d364984a-a222-4b5f-a8b0-e23ab19ebff3}}	High	Encryption	Query details Documentation
Aurora With Disabled at Rest Encryption ^{_{1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e}}	High	Encryption	Query details Documentation
Config Rule For Encrypted Volumes Disabled ^{_{abdb29d4-5ca1-4e91-800b-b3569bbd788c}}	High	Encryption	Query details Documentation
DAX Cluster Not Encrypted ^{_{f11aec39-858f-4b6f-b946-0a1bf46c0c87}}	High	Encryption	Query details Documentation
DB Instance Storage Not Encrypted ^{_{08bd0760-8752-44e1-9779-7bb369b2b4e4}}	High	Encryption	Query details Documentation
DOCDB Cluster Not Encrypted ^{_{bc1f9009-84a0-490f-ae09-3e0ea6d74ad6}}	High	Encryption	Query details Documentation
DOCDB Cluster Without KMS ^{_{4766d3ea-241c-4ee6-93ff-c380c996bd1a}}	High	Encryption	Query details Documentation
DynamoDB Table Not Encrypted ^{_{ce089fd4-1406-47bd-8aad-c259772bb294}}	High	Encryption	Query details Documentation
EBS Default Encryption Disabled ^{_{3d3f6270-546b-443c-adb4-bb6fb2187ca6}}	High	Encryption	Query details Documentation
EBS Volume Encryption Disabled ^{_{cc997676-481b-4e93-aa81-d19f8c5e9b12}}	High	Encryption	Query details Documentation
EBS Volume Snapshot Not Encrypted ^{_{e6b4b943-6883-47a9-9739-7ada9568f8ca}}	High	Encryption	Query details Documentation
ECS Task Definition Volume Not Encrypted ^{_{4d46ff3b-7160-41d1-a310-71d6d370b08f}}	High	Encryption	Query details Documentation
EFS Not Encrypted ^{_{48207659-729f-4b5c-9402-f884257d794f}}	High	Encryption	Query details Documentation
EKS Cluster Encryption Disabled ^{_{63ebcb19-2739-4d3f-aa5c-e8bbb9b85281}}	High	Encryption	Query details Documentation
ElastiCache Replication Group Not Encrypted At Rest ^{_{76976de7-c7b1-4f64-a94f-90c1345914c2}}	High	Encryption	Query details Documentation
ElasticSearch Encryption With KMS Disabled ^{_{7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2}}	High	Encryption	Query details Documentation
ElasticSearch Not Encrypted At Rest ^{_{24e16922-4330-4e9d-be8a-caa90299466a}}	High	Encryption	Query details Documentation
ELB Using Weak Ciphers ^{_{4a800e14-c94a-442d-9067-5a2e9f6c0a4c}}	High	Encryption	Query details Documentation
Glue Data Catalog Encryption Disabled ^{_{01d50b14-e933-4c99-b314-6d08cd37ad35}}	High	Encryption	Query details Documentation
Glue Security Configuration Encryption Disabled ^{_{ad5b4e97-2850-4adf-be17-1d293e0b85ee}}	High	Encryption	Query details Documentation
Kinesis Not Encrypted With KMS ^{_{862fe4bf-3eec-4767-a517-40f378886b88}}	High	Encryption	Query details Documentation
Kinesis SSE Not Configured ^{_{5c6dd5e7-1fe0-4cae-8f81-4c122717cef3}}	High	Encryption	Query details Documentation
Launch Configuration Is Not Encrypted ^{_{4de9de27-254e-424f-bd70-4c1e95790838}}	High	Encryption	Query details Documentation
MSK Cluster Encryption Disabled ^{_{6db52fa6-d4da-4608-908a-89f0c59e743e}}	High	Encryption	Query details Documentation
Neptune Database Cluster Encryption Disabled ^{_{98d59056-f745-4ef5-8613-32bca8d40b7e}}	High	Encryption	Query details Documentation
RDS Database Cluster not Encrypted ^{_{656880aa-1388-488f-a6d4-8f73c23149b2}}	High	Encryption	Query details Documentation
RDS Storage Not Encrypted ^{_{3199c26c-7871-4cb3-99c2-10a59244ce7f}}	High	Encryption	Query details Documentation
Redis Not Compliant ^{_{254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4}}	High	Encryption	Query details Documentation
Redshift Not Encrypted ^{_{cfdcabb0-fc06-427c-865b-c59f13e898ce}}	High	Encryption	Query details Documentation
S3 Bucket Object Not Encrypted ^{_{5fb49a69-8d46-4495-a2f8-9c8c622b2b6e}}	High	Encryption	Query details Documentation
Sagemaker Endpoint Configuration Encryption Disabled ^{_{58b35504-0287-4154-bf69-02c0573deab8}}	High	Encryption	Query details Documentation
Sagemaker Notebook Instance Without KMS ^{_{f3674e0c-f6be-43fa-b71c-bf346d1aed99}}	High	Encryption	Query details Documentation
SNS Topic Not Encrypted ^{_{28545147-2fc6-42d5-a1f9-cf226658e591}}	High	Encryption	Query details Documentation
User Data Contains Encoded Private Key ^{_{443488f5-c734-460b-a36d-5b3f330174dc}}	High	Encryption	Query details Documentation
Workspaces Workspace Volume Not Encrypted ^{_{b9033580-6886-401a-8631-5f19f5bb24c7}}	High	Encryption	Query details Documentation
Batch Job Definition With Privileged Container Properties ^{_{66cd88ac-9ddf-424a-b77e-e55e17630bee}}	High	Insecure Configurations	Query details Documentation
DB Security Group Has Public Interface ^{_{f0d8781f-99bf-4958-9917-d39283b168a0}}	High	Insecure Configurations	Query details Documentation
KMS Key With Vulnerable Policy ^{_{7ebc9038-0bde-479a-acc4-6ed7b6758899}}	High	Insecure Configurations	Query details Documentation
Lambda Function With Privileged Role ^{_{1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2}}	High	Insecure Configurations	Query details Documentation
MQ Broker Is Publicly Accessible ^{_{4eb5f791-c861-4afd-9f94-f2a6a3fe49cb}}	High	Insecure Configurations	Query details Documentation
Redshift Publicly Accessible ^{_{af173fde-95ea-4584-b904-bb3923ac4bda}}	High	Insecure Configurations	Query details Documentation
Root Account Has Active Access Keys ^{_{970d224d-b42a-416b-81f9-8f4dfe70c4bc}}	High	Insecure Configurations	Query details Documentation
S3 Static Website Host Enabled ^{_{42bb6b7f-6d54-4428-b707-666f669d94fb}}	High	Insecure Configurations	Query details Documentation
DB Security Group Open To Large Scope ^{_{4f615f3e-fb9c-4fad-8b70-2e9f781806ce}}	High	Networking and Firewall	Query details Documentation
Default Security Groups With Unrestricted Traffic ^{_{46883ce1-dc3e-4b17-9195-c6a601624c73}}	High	Networking and Firewall	Query details Documentation
Network ACL With Unrestricted Access To RDP ^{_{a20be318-cac7-457b-911d-04cc6e812c25}}	High	Networking and Firewall	Query details Documentation
Remote Desktop Port Open To Internet ^{_{151187cb-0efc-481c-babd-ad24e3c9bc22}}	High	Networking and Firewall	Query details Documentation
Route53 Record Undefined ^{_{25db74bf-fa3b-44da-934e-8c3e005c0453}}	High	Networking and Firewall	Query details Documentation
Sensitive Port Is Exposed To Entire Network ^{_{381c3f2a-ef6f-4eff-99f7-b169cda3422c}}	High	Networking and Firewall	Query details Documentation
Unknown Port Exposed To Internet ^{_{590d878b-abdc-428f-895a-e2b68a0e1998}}	High	Networking and Firewall	Query details Documentation
Unrestricted Security Group Ingress ^{_{4728cd65-a20c-49da-8b31-9c08b423e4db}}	High	Networking and Firewall	Query details Documentation
VPC Default Security Group Accepts All Traffic ^{_{9a4ef195-74b9-4c58-b8ed-2b2fe4353a75}}	High	Networking and Firewall	Query details Documentation
VPC Peering Route Table with Unrestricted CIDR ^{_{b3a41501-f712-4c4f-81e5-db9a7dc0e34e}}	High	Networking and Firewall	Query details Documentation
CloudTrail Log Files S3 Bucket is Publicly Accessible ^{_{bd0088a5-c133-4b20-b129-ec9968b16ef3}}	High	Observability	Query details Documentation
Hardcoded AWS Access Key ^{_{d7b9d850-3e06-4a75-852f-c46c2e92240b}}	High	Secret Management	Query details Documentation
Hardcoded AWS Access Key In Lambda ^{_{1402afd8-a95c-4e84-8b0b-6fb43758e6ce}}	High	Secret Management	Query details Documentation
AMI Shared With Multiple Accounts ^{_{ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698}}	Medium	Access Control	Query details Documentation
API Gateway Method Does Not Contains An API Key ^{_{671211c5-5d2a-4e97-8867-30fc28b02216}}	Medium	Access Control	Query details Documentation
API Gateway Without Configured Authorizer ^{_{0a96ce49-4163-4ee6-8169-eb3b0797d694}}	Medium	Access Control	Query details Documentation
Certificate Has Expired ^{_{c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6}}	Medium	Access Control	Query details Documentation
EC2 Instance Using Default Security Group ^{_{f1adc521-f79a-4d71-b55b-a68294687432}}	Medium	Access Control	Query details Documentation
EFS With Vulnerable Policy ^{_{fae52418-bb8b-4ac2-b287-0b9082d6a3fd}}	Medium	Access Control	Query details Documentation
Elasticsearch Domain With Vulnerable Policy ^{_{16c4216a-50d3-4785-bfb2-4adb5144a8ba}}	Medium	Access Control	Query details Documentation
Elasticsearch Without IAM Authentication ^{_{e7530c3c-b7cf-4149-8db9-d037a0b5268e}}	Medium	Access Control	Query details Documentation
Glue With Vulnerable Policy ^{_{d25edb51-07fb-4a73-97d4-41cecdc53a22}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' ^{_{9b0ffadc-a61f-4c2a-b1e6-68fab60f6267}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' ^{_{15e6ad8c-f420-49a6-bafb-074f5eb1ec74}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' ^{_{7d544dad-8a6c-431c-84c1-5f07fe9afc0e}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' ^{_{8f3c16b3-354d-45db-8ad5-5066778a9485}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:AddUserToGroup' ^{_{970ed7a2-0aca-4425-acf1-0453c9ecbca1}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' ^{_{70b42736-efee-4bce-80d5-50358ed94990}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' ^{_{3dd96caa-0b5f-4a85-b929-acfac4646cc2}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' ^{_{db78d14b-10e5-4e6e-84b1-dace6327b1ec}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:CreateAccessKey' ^{_{846646e3-2af1-428c-ac5d-271eccfa6faf}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' ^{_{04c686f1-e0cd-4812-88e1-4e038410074c}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ^{_{ec49cbfd-fae4-45f3-81b1-860526d66e3f}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:PutGroupPolicy' ^{_{e77c89f6-9c85-49ea-b95b-5f960fe5be92}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:PutRolePolicy' ^{_{c0c1e744-0f37-445e-924a-1846f0839f69}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:PutUserPolicy' ^{_{60263b4a-6801-4587-911d-919c37ed733b}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' ^{_{7782d4b3-e23e-432b-9742-d9528432e771}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' ^{_{78f1ec6f-5659-41ea-bd48-d0a142dce4f2}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ^{_{ad296c0d-8131-4d6b-b030-1b0e73a99ad3}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' ^{_{034d0aee-620f-4bf7-b7fb-efdf661fdb9e}}	Medium	Access Control	Query details Documentation
Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' ^{_{571254d8-aa6a-432e-9725-535d3ef04d69}}	Medium	Access Control	Query details Documentation
IAM Access Key Is Exposed ^{_{7081f85c-b94d-40fd-8b45-a4f1cac75e46}}	Medium	Access Control	Query details Documentation
IAM Group Without Users ^{_{fc101ca7-c9dd-4198-a1eb-0fbe92e80044}}	Medium	Access Control	Query details Documentation
IAM Policies Attached To User ^{_{b4378389-a9aa-44ee-91e7-ef183f11079e}}	Medium	Access Control	Query details Documentation
IAM Policies With Full Privileges ^{_{2f37c4a3-58b9-4afe-8a87-d7f1d2286f84}}	Medium	Access Control	Query details Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services ^{_{bcdcbdc6-a350-4855-ae7c-d1e6436f7c97}}	Medium	Access Control	Query details Documentation
IAM Role Allows All Principals To Assume ^{_{12b7e704-37f0-4d1e-911a-44bf60c48c21}}	Medium	Access Control	Query details Documentation
IAM Role Policy passRole Allows All ^{_{e39bee8c-fe54-4a3f-824d-e5e2d1cca40a}}	Medium	Access Control	Query details Documentation
IAM User With Access To Console ^{_{9ec311bf-dfd9-421f-8498-0b063c8bc552}}	Medium	Access Control	Query details Documentation
Lambda Permission Principal Is Wildcard ^{_{e08ed7eb-f3ef-494d-9d22-2e3db756a347}}	Medium	Access Control	Query details Documentation
Policy Without Principal ^{_{bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54}}	Medium	Access Control	Query details Documentation
Public and Private EC2 Share Role ^{_{c53c7a89-f9d7-4c7b-8b66-8a555be99593}}	Medium	Access Control	Query details Documentation
Public Lambda via API Gateway ^{_{3ef8696c-e4ae-4872-92c7-520bb44dfe77}}	Medium	Access Control	Query details Documentation
REST API With Vulnerable Policy ^{_{b161c11b-a59b-4431-9a29-4e19f63e6b27}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' ^{_{be2aa235-bd93-4b68-978a-1cc65d49082f}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' ^{_{30b88745-eebe-4ecb-a3a9-5cf886e96204}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' ^{_{0a592060-8166-49f5-8e65-99ac6dce9871}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' ^{_{eda48c88-2b7d-4e34-b6ca-04c0194aee17}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:AddUserToGroup' ^{_{b8a31292-509d-4b61-bc40-13b167db7e9c}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' ^{_{f906113d-cdc0-415a-ba60-609cc6daaf4d}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' ^{_{f465fff1-0a0f-457d-aa4d-1bddb6f204ff}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:AttachUserPolicy' ^{_{7c96920c-6fd0-449d-9a52-0aa431b6beaf}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:CreateAccessKey' ^{_{5b4d4aee-ac94-4810-9611-833636e5916d}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' ^{_{9a205ba3-0dd1-42eb-8d54-2ffec836b51a}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ^{_{ee49557d-750c-4cc1-aa95-94ab36cbefde}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:PutGroupPolicy' ^{_{d6047119-a0b2-4b59-a4f2-127a36fb685b}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:PutRolePolicy' ^{_{eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:PutUserPolicy' ^{_{8f75840d-9ee7-42f3-b203-b40e3979eb12}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' ^{_{118281d0-6471-422e-a7c5-051bc667926e}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' ^{_{f1173d8c-3264-4148-9fdb-61181e031b51}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ^{_{35ccf766-0e4d-41ed-9ec4-2dab155082b4}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' ^{_{fa62ac4f-f5b9-45b9-97c1-625c8b6253ca}}	Medium	Access Control	Query details Documentation
Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' ^{_{c583f0f9-7dfd-476b-a056-f47c62b47b46}}	Medium	Access Control	Query details Documentation
S3 Bucket Allows Public ACL ^{_{d0cc8694-fcad-43ff-ac86-32331d7e867f}}	Medium	Access Control	Query details Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously ^{_{5ea624e4-c8b1-4bb3-87a4-4235a776adcc}}	Medium	Access Control	Query details Documentation
SQS Policy With Public Access ^{_{730675f9-52ed-49b6-8ead-0acb5dd7df7f}}	Medium	Access Control	Query details Documentation
SSO Identity User Unsafe Creation ^{_{4003118b-046b-4640-b200-b8c7a4c8b89f}}	Medium	Access Control	Query details Documentation
SSO Policy with full privileges ^{_{132a8c31-9837-4203-9fd1-15ca210c7b73}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' ^{_{19ffbe31-9d72-4379-9768-431195eae328}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' ^{_{89561b03-cb35-44a9-a7e9-8356e71606f4}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' ^{_{94fbe150-27e3-4eba-9ca6-af32865e4503}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' ^{_{9b877bd8-94b4-4c10-a060-8e0436cc09fa}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:AddUserToGroup' ^{_{bf9d42c7-c2f9-4dfe-942c-c8cc8249a081}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' ^{_{6d23d87e-1c5b-4308-b224-92624300f29b}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:AttachRolePolicy' ^{_{e227091e-2228-4b40-b046-fc13650d8e88}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:AttachUserPolicy' ^{_{70cb518c-d990-46f6-bc05-44a5041493d6}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:CreateAccessKey' ^{_{113208f2-a886-4526-9ecc-f3218600e12c}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:CreateLoginProfile' ^{_{0fd7d920-4711-46bd-aff2-d307d82cd8b7}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:CreatePolicyVersion' ^{_{1743f5f1-0bb0-4934-acef-c80baa5dadfa}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:PutGroupPolicy' ^{_{8bfbf7ab-d5e8-4100-8618-798956e101e0}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:PutRolePolicy' ^{_{eeb4d37a-3c59-4789-a00c-1509bc3af1e5}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:PutUserPolicy' ^{_{0c10d7da-85c4-4d62-b2a8-d6c104f1bd77}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' ^{_{43a41523-386a-4cb1-becb-42af6b414433}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' ^{_{33627268-1445-4385-988a-318fd9d1a512}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' ^{_{6deb34e2-5d9c-499a-801b-ea6d9eda894f}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' ^{_{8055dec2-efb8-4fe6-8837-d9bed6ff202a}}	Medium	Access Control	Query details Documentation
User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' ^{_{b69247e5-7e73-464e-ba74-ec9b715c6e12}}	Medium	Access Control	Query details Documentation
Auto Scaling Group With No Associated ELB ^{_{8e94dced-9bcc-4203-8eb7-7e41202b2505}}	Medium	Availability	Query details Documentation
CMK Is Unusable ^{_{7350fa23-dcf7-4938-916d-6a60b0c73b50}}	Medium	Availability	Query details Documentation
ElastiCache Nodes Not Created Across Multi AZ ^{_{6db03a91-f933-4f13-ab38-a8b87a7de54d}}	Medium	Availability	Query details Documentation
ElastiCache Redis Cluster Without Backup ^{_{8fdb08a0-a868-4fdf-9c27-ccab0237f1ab}}	Medium	Backup	Query details Documentation
RDS Cluster With Backup Disabled ^{_{e542bd46-58c4-4e0f-a52a-1fb4f9548e02}}	Medium	Backup	Query details Documentation
RDS With Backup Disabled ^{_{1dc73fb4-5b51-430c-8c5f-25dcf9090b02}}	Medium	Backup	Query details Documentation
S3 Bucket Without Versioning ^{_{568a4d22-3517-44a6-a7ad-6a7eed88722c}}	Medium	Backup	Query details Documentation
Stack Retention Disabled ^{_{6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97}}	Medium	Backup	Query details Documentation
ALB Not Dropping Invalid Headers ^{_{6e3fd2ed-5c83-4c68-9679-7700d224d379}}	Medium	Best Practices	Query details Documentation
AMI Not Encrypted ^{_{8bbb242f-6e38-4127-86d4-d8f0b2687ae2}}	Medium	Encryption	Query details Documentation
CA Certificate Identifier Is Outdated ^{_{9f40c07e-699e-4410-8856-3ba0f2e3a2dd}}	Medium	Encryption	Query details Documentation
Cloudfront Viewer Protocol Policy Allows HTTP ^{_{55af1353-2f62-4fa0-a8e1-a210ca2708f5}}	Medium	Encryption	Query details Documentation
CloudWatch Log Group Without KMS ^{_{0afbcfe9-d341-4b92-a64c-7e6de0543879}}	Medium	Encryption	Query details Documentation
ElastiCache Replication Group Not Encrypted At Transit ^{_{1afbb3fa-cf6c-4a3d-b730-95e9f4df343e}}	Medium	Encryption	Query details Documentation
Elasticsearch Domain Not Encrypted Node To Node ^{_{967eb3e6-26fc-497d-8895-6428beb6e8e2}}	Medium	Encryption	Query details Documentation
ELB Using Insecure Protocols ^{_{126c1788-23c2-4a10-906c-ef179f4f96ec}}	Medium	Encryption	Query details Documentation
IAM Database Auth Not Enabled ^{_{88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6}}	Medium	Encryption	Query details Documentation
S3 Bucket Policy Accepts HTTP Requests ^{_{4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9}}	Medium	Encryption	Query details Documentation
Secretsmanager Secret Encrypted With AWS Managed Key ^{_{b0d3ef3f-845d-4b1b-83d6-63a5a380375f}}	Medium	Encryption	Query details Documentation
Secretsmanager Secret Without KMS ^{_{a2f548f2-188c-4fff-b172-e9a6acb216bd}}	Medium	Encryption	Query details Documentation
Secure Ciphers Disabled ^{_{5c0003fb-9aa0-42c1-9da3-eb0e332bef21}}	Medium	Encryption	Query details Documentation
SNS Topic Encrypted With AWS Managed Key ^{_{b1a72f66-2236-4f3b-87ba-0da1b366956f}}	Medium	Encryption	Query details Documentation
SQS With SSE Disabled ^{_{6e8849c1-3aa7-40e3-9063-b85ee300f29f}}	Medium	Encryption	Query details Documentation
SSM Session Transit Encryption Disabled ^{_{ce60cc6b-6831-4bd7-84a2-cc7f8ee71433}}	Medium	Encryption	Query details Documentation
ALB Deletion Protection Disabled ^{_{afecd1f1-6378-4f7e-bb3b-60c35801fdd4}}	Medium	Insecure Configurations	Query details Documentation
API Gateway With Open Access ^{_{15ccec05-5476-4890-ad19-53991eba1db8}}	Medium	Insecure Configurations	Query details Documentation
API Gateway Without Security Policy ^{_{4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b}}	Medium	Insecure Configurations	Query details Documentation
API Gateway Without SSL Certificate ^{_{0b4869fc-a842-4597-aa00-1294df425440}}	Medium	Insecure Configurations	Query details Documentation
Certificate RSA Key Bytes Lower Than 256 ^{_{874d68a3-bfbe-4a4b-aaa0-9e74d7da634b}}	Medium	Insecure Configurations	Query details Documentation
CloudFront Without Minimum Protocol TLS 1.2 ^{_{00e5e55e-c2ff-46b3-a757-a7a1cd802456}}	Medium	Insecure Configurations	Query details Documentation
ECR Image Tag Not Immutable ^{_{d1846b12-20c5-4d45-8798-fc35b79268eb}}	Medium	Insecure Configurations	Query details Documentation
ECS Task Definition Network Mode Not Recommended ^{_{9f4a9409-9c60-4671-be96-9716dbf63db1}}	Medium	Insecure Configurations	Query details Documentation
EKS Cluster Has Public Access ^{_{42f4b905-3736-4213-bfe9-c0660518cda8}}	Medium	Insecure Configurations	Query details Documentation
IAM User Has Too Many Access Keys ^{_{3561130e-9c5f-485b-9e16-2764c82763e5}}	Medium	Insecure Configurations	Query details Documentation
No Password Policy Enabled ^{_{b592ffd4-0577-44b6-bd35-8c5ee81b5918}}	Medium	Insecure Configurations	Query details Documentation
S3 Bucket with Unsecured CORS Rule ^{_{98a8f708-121b-455b-ae2f-da3fb59d17e1}}	Medium	Insecure Configurations	Query details Documentation
S3 Bucket Without Ignore Public ACL ^{_{4fa66806-0dd9-4f8d-9480-3174d39c7c91}}	Medium	Insecure Configurations	Query details Documentation
S3 Bucket Without Restriction Of Public Bucket ^{_{1ec253ab-c220-4d63-b2de-5b40e0af9293}}	Medium	Insecure Configurations	Query details Documentation
Service Control Policies Disabled ^{_{5ba6229c-8057-433e-91d0-21cf13569ca9}}	Medium	Insecure Configurations	Query details Documentation
Default VPC Exists ^{_{96ed3526-0179-4c73-b1b2-372fde2e0d13}}	Medium	Insecure Defaults	Query details Documentation
Vulnerable Default SSL Certificate ^{_{3a1e94df-6847-4c0e-a3b6-6c6af4e128ef}}	Medium	Insecure Defaults	Query details Documentation
ALB Is Not Integrated With WAF ^{_{0afa6ab8-a047-48cf-be07-93a2f8c34cf7}}	Medium	Networking and Firewall	Query details Documentation
ALB Listening on HTTP ^{_{de7f5e83-da88-4046-871f-ea18504b1d43}}	Medium	Networking and Firewall	Query details Documentation
API Gateway Endpoint Config is Not Private ^{_{6b2739db-9c49-4db7-b980-7816e0c248c1}}	Medium	Networking and Firewall	Query details Documentation
API Gateway without WAF ^{_{a186e82c-1078-4a7b-85d8-579561fde884}}	Medium	Networking and Firewall	Query details Documentation
CloudFront Without WAF ^{_{1419b4c6-6d5c-4534-9cf6-6a5266085333}}	Medium	Networking and Firewall	Query details Documentation
EC2 Instance Has Public IP ^{_{5a2486aa-facf-477d-a5c1-b010789459ce}}	Medium	Networking and Firewall	Query details Documentation
EKS Cluster Has Public Access CIDRs ^{_{61cf9883-1752-4768-b18c-0d57f2737709}}	Medium	Networking and Firewall	Query details Documentation
EKS node group remote access disabled ^{_{ba40ace1-a047-483c-8a8d-bc2d3a67a82d}}	Medium	Networking and Firewall	Query details Documentation
Elasticsearch with HTTPS disabled ^{_{2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e}}	Medium	Networking and Firewall	Query details Documentation
HTTP Port Open To Internet ^{_{ffac8a12-322e-42c1-b9b9-81ff85c39ef7}}	Medium	Networking and Firewall	Query details Documentation
Network ACL With Unrestricted Access To SSH ^{_{3af7f2fd-06e6-4dab-b996-2912bea19ba4}}	Medium	Networking and Firewall	Query details Documentation
Security Group With Unrestricted Access To SSH ^{_{65905cec-d691-4320-b320-2000436cb696}}	Medium	Networking and Firewall	Query details Documentation
Sensitive Port Is Exposed To Small Public Network ^{_{e35c16a2-d54e-419d-8546-a804d8e024d0}}	Medium	Networking and Firewall	Query details Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible ^{_{54c417bf-c762-48b9-9d31-b3d87047e3f0}}	Medium	Networking and Firewall	Query details Documentation
VPC Subnet Assigns Public IP ^{_{52f04a44-6bfa-4c41-b1d3-4ae99a2de05c}}	Medium	Networking and Firewall	Query details Documentation
VPC Without Network Firewall ^{_{fd632aaf-b8a1-424d-a4d1-0de22fd3247a}}	Medium	Networking and Firewall	Query details Documentation
API Gateway Access Logging Disabled ^{_{1b6799eb-4a7a-4b04-9001-8cceb9999326}}	Medium	Observability	Query details Documentation
API Gateway Deployment Without Access Log Setting ^{_{625abc0e-f980-4ac9-a775-f7519ee34296}}	Medium	Observability	Query details Documentation
API Gateway With CloudWatch Logging Disabled ^{_{982aa526-6970-4c59-8b9b-2ce7e019fe36}}	Medium	Observability	Query details Documentation
CloudFront Logging Disabled ^{_{94690d79-b3b0-43de-b656-84ebef5753e5}}	Medium	Observability	Query details Documentation
CloudTrail Log Files S3 Bucket with Logging Disabled ^{_{ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4}}	Medium	Observability	Query details Documentation
CloudTrail Logging Disabled ^{_{4bb76f17-3d63-4529-bdca-2b454529d774}}	Medium	Observability	Query details Documentation
CloudWatch AWS Config Configuration Changes Alarm Missing ^{_{5b8d7527-de8e-4114-b9dd-9d988f1f418f}}	Medium	Observability	Query details Documentation
CloudWatch Changes To NACL Alarm Missing ^{_{0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0}}	Medium	Observability	Query details Documentation
Cloudwatch Cloudtrail Configuration Changes Alarm Missing ^{_{0f6cbf69-41bb-47dc-93f3-3844640bf480}}	Medium	Observability	Query details Documentation
CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing ^{_{56a585f5-555c-48b2-8395-e64e4740a9cf}}	Medium	Observability	Query details Documentation
CloudWatch Logging Disabled ^{_{7dbba512-e244-42dc-98bb-422339827967}}	Medium	Observability	Query details Documentation
CloudWatch Management Console Auth Failed Alarm Missing ^{_{5864d189-ee9a-4009-ac0c-8a582e6b7919}}	Medium	Observability	Query details Documentation
CloudWatch Metrics Disabled ^{_{081069cb-588b-4ce1-884c-2a1ce3029fe5}}	Medium	Observability	Query details Documentation
CloudWatch Root Account Use Missing ^{_{8b1b1e67-6248-4dca-bbad-93486bb181c0}}	Medium	Observability	Query details Documentation
CloudWatch S3 policy Change Alarm Missing ^{_{27c6a499-895a-4dc7-9617-5c485218db13}}	Medium	Observability	Query details Documentation
Cloudwatch Security Group Changes Alarm Missing ^{_{4beaf898-9f8b-4237-89e2-5ffdc7ee6006}}	Medium	Observability	Query details Documentation
CloudWatch VPC Changes Alarm Missing ^{_{9d0d4512-1959-43a2-a17f-72360ff06d1b}}	Medium	Observability	Query details Documentation
DocDB Logging Is Disabled ^{_{56f6a008-1b14-4af4-b9b2-ab7cf7e27641}}	Medium	Observability	Query details Documentation
EC2 Instance Monitoring Disabled ^{_{23b70e32-032e-4fa6-ba5c-82f56b9980e6}}	Medium	Observability	Query details Documentation
EKS cluster logging is not enabled ^{_{37304d3f-f852-40b8-ae3f-725e87a7cedf}}	Medium	Observability	Query details Documentation
Elasticsearch Log Disabled ^{_{acb6b4e2-a086-4f35-aefd-4db6ea51ada2}}	Medium	Observability	Query details Documentation
ELB Access Log Disabled ^{_{20018359-6fd7-4d05-ab26-d4dffccbdf79}}	Medium	Observability	Query details Documentation
Global Accelerator Flow Logs Disabled ^{_{96e8183b-e985-457b-90cd-61c0503a3369}}	Medium	Observability	Query details Documentation
GuardDuty Detector Disabled ^{_{704dadd3-54fc-48ac-b6a0-02f170011473}}	Medium	Observability	Query details Documentation
Missing Cluster Log Types ^{_{66f130d9-b81d-4e8e-9b08-da74b9c891df}}	Medium	Observability	Query details Documentation
MQ Broker Logging Disabled ^{_{31245f98-a6a9-4182-9fc1-45482b9d030a}}	Medium	Observability	Query details Documentation
MSK Cluster Logging Disabled ^{_{2f56b7ab-7fba-4e93-82f0-247e5ddeb239}}	Medium	Observability	Query details Documentation
Neptune Logging Is Disabled ^{_{45cff7b6-3b80-40c1-ba7b-2cf480678bb8}}	Medium	Observability	Query details Documentation
RDS Without Logging ^{_{8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56}}	Medium	Observability	Query details Documentation
Redshift Cluster Logging Disabled ^{_{15ffbacc-fa42-4f6f-a57d-2feac7365caa}}	Medium	Observability	Query details Documentation
S3 Bucket Logging Disabled ^{_{f861041c-8c9f-4156-acfc-5e6e524f5884}}	Medium	Observability	Query details Documentation
S3 Bucket Object Level CloudTrail Logging Disabled ^{_{a8fc2180-b3ac-4c93-bd0d-a55b974e4b07}}	Medium	Observability	Query details Documentation
Stack Notifications Disabled ^{_{b72d0026-f649-4c91-a9ea-15d8f681ac09}}	Medium	Observability	Query details Documentation
VPC FlowLogs Disabled ^{_{f83121ea-03da-434f-9277-9cd247ab3047}}	Medium	Observability	Query details Documentation
No Stack Policy ^{_{2f01fb2d-828a-499d-b98e-b83747305052}}	Medium	Resource Management	Query details Documentation
Authentication Without MFA ^{_{3ddfa124-6407-4845-a501-179f90c65097}}	Low	Access Control	Query details Documentation
CloudWatch Logs Destination With Vulnerable Policy ^{_{db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8}}	Low	Access Control	Query details Documentation
EC2 Instance Using API Keys ^{_{0b93729a-d882-4803-bdc3-ac429a21f158}}	Low	Access Control	Query details Documentation
SSO Permission With Inadequate User Session Duration ^{_{ce9dfce0-5fc8-433b-944a-3b16153111a8}}	Low	Access Control	Query details Documentation
Autoscaling Groups Supply Tags ^{_{ba48df05-eaa1-4d64-905e-4a4b051e7587}}	Low	Availability	Query details Documentation
ECS Service Without Running Tasks ^{_{91f16d09-689e-4926-aca7-155157f634ed}}	Low	Availability	Query details Documentation
Automatic Minor Upgrades Disabled ^{_{3b6d777b-76e3-4133-80a3-0d6f667ade7f}}	Low	Best Practices	Query details Documentation
CDN Configuration Is Missing ^{_{1bc367f6-901d-4870-ad0c-71d79762ef52}}	Low	Best Practices	Query details Documentation
Cognito UserPool Without MFA ^{_{ec28bf61-a474-4dbe-b414-6dd3a067d6f0}}	Low	Best Practices	Query details Documentation
ECR Repository Without Policy ^{_{69e7c320-b65d-41bb-be02-d63ecc0bcc9d}}	Low	Best Practices	Query details Documentation
IAM Access Analyzer Not Enabled ^{_{e592a0c5-5bdb-414c-9066-5dba7cdea370}}	Low	Best Practices	Query details Documentation
IAM Password Without Minimum Length ^{_{1bc1c685-e593-450e-88fb-19db4c82aa1d}}	Low	Best Practices	Query details Documentation
Lambda IAM InvokeFunction Misconfigured ^{_{0ca1017d-3b80-423e-bb9c-6cd5898d34bd}}	Low	Best Practices	Query details Documentation
Lambda Permission Misconfigured ^{_{75ec6890-83af-4bf1-9f16-e83726df0bd0}}	Low	Best Practices	Query details Documentation
Misconfigured Password Policy Expiration ^{_{ce60d060-efb8-4bfd-9cf7-ff8945d00d90}}	Low	Best Practices	Query details Documentation
Password Without Reuse Prevention ^{_{89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a}}	Low	Best Practices	Query details Documentation
Stack Without Template ^{_{91bea7b8-0c31-4863-adc9-93f6177266c4}}	Low	Build Process	Query details Documentation
API Gateway With Invalid Compression ^{_{ed35928e-195c-4405-a252-98ccb664ab7b}}	Low	Encryption	Query details Documentation
CloudTrail Log Files Not Encrypted With KMS ^{_{5d9e3164-9265-470c-9a10-57ae454ac0c7}}	Low	Encryption	Query details Documentation
CodeBuild Project Encrypted With AWS Managed Key ^{_{3deec14b-03d2-4d27-9670-7d79322e3340}}	Low	Encryption	Query details Documentation
DOCDB Cluster Encrypted With AWS Managed Key ^{_{2134641d-30a4-4b16-8ffc-2cd4c4ffd15d}}	Low	Encryption	Query details Documentation
ECR Repository Not Encrypted With CMK ^{_{0e32d561-4b5a-4664-a6e3-a3fa85649157}}	Low	Encryption	Query details Documentation
EFS Without KMS ^{_{25d251f3-f348-4f95-845c-1090e41a615c}}	Low	Encryption	Query details Documentation
AWS Password Policy With Unchangeable Passwords ^{_{9ef7d25d-9764-4224-9968-fa321c56ef76}}	Low	Insecure Configurations	Query details Documentation
IAM User Policy Without MFA ^{_{b5681959-6c09-4f55-b42b-c40fa12d03ec}}	Low	Insecure Configurations	Query details Documentation
Instance With No VPC ^{_{a31a5a29-718a-4ff4-8001-a69e5e4d029e}}	Low	Insecure Configurations	Query details Documentation
Redis Disabled ^{_{4bd15dd9-8d5e-4008-8532-27eb0c3706d3}}	Low	Insecure Configurations	Query details Documentation
Redshift Cluster Without VPC ^{_{0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3}}	Low	Insecure Configurations	Query details Documentation
S3 Bucket Without Enabled MFA Delete ^{_{c5b31ab9-0f26-4a49-b8aa-4cc064392f4d}}	Low	Insecure Configurations	Query details Documentation
Dynamodb VPC Endpoint Without Route Table Association ^{_{0bc534c5-13d1-4353-a7fe-b8665d5c1d7d}}	Low	Networking and Firewall	Query details Documentation
EC2 Instance Using Default VPC ^{_{7e4a6e76-568d-43ef-8c4e-36dea481bff1}}	Low	Networking and Firewall	Query details Documentation
ElastiCache Using Default Port ^{_{5d89db57-8b51-4b38-bb76-b9bd42bd40f0}}	Low	Networking and Firewall	Query details Documentation
ElastiCache Without VPC ^{_{8c849af7-a399-46f7-a34c-32d3dc96f1fc}}	Low	Networking and Firewall	Query details Documentation
EMR Without VPC ^{_{2b3c8a6d-9856-43e6-ab1d-d651094f03b4}}	Low	Networking and Firewall	Query details Documentation
RDS Using Default Port ^{_{bca7cc4d-b3a4-4345-9461-eb69c68fcd26}}	Low	Networking and Firewall	Query details Documentation
Redshift Using Default Port ^{_{41abc6cc-dde1-4217-83d3-fb5f0cc09d8f}}	Low	Networking and Firewall	Query details Documentation
Sensitive Port Is Exposed To Wide Private Network ^{_{92fe237e-074c-4262-81a4-2077acb928c1}}	Low	Networking and Firewall	Query details Documentation
Shield Advanced Not In Use ^{_{084c6686-2a70-4710-91b1-000393e54c12}}	Low	Networking and Firewall	Query details Documentation
SQS VPC Endpoint Without DNS Resolution ^{_{e9b7acf9-9ba0-4837-a744-31e7df1e434d}}	Low	Networking and Firewall	Query details Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated ^{_{b3a59b8e-94a3-403e-b6e2-527abaf12034}}	Low	Observability	Query details Documentation
API Gateway X-Ray Disabled ^{_{5813ef56-fa94-406a-b35d-977d4a56ff2b}}	Low	Observability	Query details Documentation
CloudTrail Log File Validation Disabled ^{_{52ffcfa6-6c70-4ea6-8376-d828d3961669}}	Low	Observability	Query details Documentation
CloudTrail Multi Region Disabled ^{_{8173d5eb-96b5-4aa6-a71b-ecfa153c123d}}	Low	Observability	Query details Documentation
CloudTrail Not Integrated With CloudWatch ^{_{17b30f8f-8dfb-4597-adf6-57600b6cf25e}}	Low	Observability	Query details Documentation
CloudTrail SNS Topic Name Undefined ^{_{482b7d26-0bdb-4b5f-bf6f-545826c0a3dd}}	Low	Observability	Query details Documentation
CloudWatch Console Sign-in Without MFA Alarm Missing ^{_{44ceb4fa-0897-4fd2-b676-30e7a58f2933}}	Low	Observability	Query details Documentation
CloudWatch IAM Policy Changes Alarm Missing ^{_{eaaba502-2f94-411a-a3c2-83d63cc1776d}}	Low	Observability	Query details Documentation
CloudWatch Network Gateways Changes Alarm Missing ^{_{6b6874fe-4c2f-4eea-8b90-7cceaa4a125e}}	Low	Observability	Query details Documentation
CloudWatch Route Table Changes Alarm Missing ^{_{2285e608-ddbc-47f3-ba54-ce7121e31216}}	Low	Observability	Query details Documentation
CMK Rotation Disabled ^{_{22fbfeac-7b5a-421a-8a27-7a2178bb910b}}	Low	Observability	Query details Documentation
Configuration Aggregator to All Regions Disabled ^{_{ac5a0bc0-a54c-45aa-90c3-15f7703b9132}}	Low	Observability	Query details Documentation
ECS Cluster with Container Insights Disabled ^{_{97cb0688-369a-4d26-b1f7-86c4c91231bc}}	Low	Observability	Query details Documentation
ElasticSearch Without Slow Logs ^{_{e979fcbc-df6c-422d-9458-c33d65e71c45}}	Low	Observability	Query details Documentation
KMS Key With No Deletion Window ^{_{0b530315-0ea4-497f-b34c-4ff86268f59d}}	Low	Observability	Query details Documentation
Lambda Functions Without X-Ray Tracing ^{_{8152e0cf-d2f0-47ad-96d5-d003a76eabd1}}	Low	Observability	Query details Documentation
Unscanned ECR Image ^{_{9630336b-3fed-4096-8173-b9afdfe346a7}}	Low	Observability	Query details Documentation
API Gateway Stage Without API Gateway UsagePlan Associated ^{_{c999cf62-0920-40f8-8dda-0caccd66ed7e}}	Low	Resource Management	Query details Documentation
Security Group Not Used ^{_{4849211b-ac39-479e-ae78-5694d506cb24}}	Info	Access Control	Query details Documentation
DynamoDB Table Point In Time Recovery Disabled ^{_{741f1291-47ac-4a85-a07b-3d32a9d6bd3e}}	Info	Best Practices	Query details Documentation
EC2 Not EBS Optimized ^{_{60224630-175a-472a-9e23-133827040766}}	Info	Best Practices	Query details Documentation
Resource Not Using Tags ^{_{e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10}}	Info	Best Practices	Query details Documentation
Security Group Rule Without Description ^{_{68eb4bf3-f9bf-463d-b5cf-e029bb446d2e}}	Info	Best Practices	Query details Documentation
Security Group Without Description ^{_{cb3f5ed6-0d18-40de-a93d-b3538db31e8c}}	Info	Best Practices	Query details Documentation
CloudWatch AWS Organizations Changes Missing Alarm ^{_{38b85c45-e772-4de8-a247-69619ca137b3}}	Info	Observability	Query details Documentation
CloudWatch Without Retention Period Specified ^{_{ef0b316a-211e-42f1-888e-64efe172b755}}	Info	Observability	Query details Documentation

AWS_BOM¶

Below are listed queries related to Terraform AWS_BOM:

Query	Severity	Category	More info
BOM - AWS DynamoDB ^{_{23edf35f-7c22-4ff9-87e6-0ca74261cfbf}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS EBS ^{_{86571149-eef3-4280-a645-01e60df854b0}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS EFS ^{_{f53f16d6-46a9-4277-9fbe-617b1e24cdca}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS Elasticache ^{_{54229498-850b-4f78-b3a7-218d24ef2c37}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS Kinesis ^{_{0e59d33e-bba2-4037-8f88-9765647ca7ad}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS MQ ^{_{fcb1b388-f558-4b7f-9b6e-f4e98abb7380}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS MSK ^{_{051f2063-2517-4295-ad8e-ba88c1bf5cfc}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS RDS ^{_{12933609-c5bf-44b4-9a41-a6467c3b685b}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS S3 Buckets ^{_{2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS SNS ^{_{eccc4d59-74b9-4974-86f1-74386e0c7f33}}	Trace	Bill Of Materials	Query details Documentation
BOM - AWS SQS ^{_{baecd2da-492a-4d59-b9dc-29540a1398e0}}	Trace	Bill Of Materials	Query details Documentation

AZURE¶

Below are listed queries related to Terraform AZURE:

Query	Severity	Category	More info
CosmosDB Account IP Range Filter Not Set ^{_{c2a3efb6-8a58-481c-82f2-bfddf34bb4b7}}	Critical	Networking and Firewall	Query details Documentation
Redis Entirely Accessible ^{_{fd8da341-6760-4450-b26c-9f6d8850575e}}	Critical	Networking and Firewall	Query details Documentation
Redis Publicly Accessible ^{_{5089d055-53ff-421b-9482-a5267bdce629}}	Critical	Networking and Firewall	Query details Documentation
SQLServer Ingress From Any IP ^{_{25c0ea09-f1c5-4380-b055-3b83863f2bb8}}	Critical	Networking and Firewall	Query details Documentation
Unrestricted SQL Server Access ^{_{d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28}}	Critical	Networking and Firewall	Query details Documentation
Public Storage Account ^{_{17f75827-0684-48f4-8747-61129c7e4198}}	High	Access Control	Query details Documentation
Storage Container Is Publicly Accessible ^{_{dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299}}	High	Access Control	Query details Documentation
Azure Container Registry With No Locks ^{_{a187ac47-8163-42ce-8a63-c115236be6fb}}	High	Insecure Configurations	Query details Documentation
Security Group is Not Configured ^{_{5c822443-e1ea-46b8-84eb-758ec602e844}}	High	Insecure Configurations	Query details Documentation
MariaDB Server Public Network Access Enabled ^{_{7f0a8696-7159-4337-ad0d-8a3ab4a78195}}	High	Networking and Firewall	Query details Documentation
MSSQL Server Public Network Access Enabled ^{_{ade36cf4-329f-4830-a83d-9db72c800507}}	High	Networking and Firewall	Query details Documentation
MySQL Server Public Access Enabled ^{_{f118890b-2468-42b1-9ce9-af35146b425b}}	High	Networking and Firewall	Query details Documentation
RDP Is Exposed To The Internet ^{_{efbf6449-5ec5-4cfe-8f15-acc51e0d787c}}	High	Networking and Firewall	Query details Documentation
Sensitive Port Is Exposed To Entire Network ^{_{594c198b-4d79-41b8-9b36-fde13348b619}}	High	Networking and Firewall	Query details Documentation
Admin User Enabled For Container Registry ^{_{b897dfbf-322c-45a8-b67c-1e698beeaa51}}	Medium	Access Control	Query details Documentation
AKS RBAC Disabled ^{_{86f92117-eed8-4614-9c6c-b26da20ff37f}}	Medium	Access Control	Query details Documentation
App Service Authentication Disabled ^{_{c7fc1481-2899-4490-bbd8-544a3a61a2f3}}	Medium	Access Control	Query details Documentation
Function App Authentication Disabled ^{_{e65a0733-94a0-4826-82f4-df529f4c593f}}	Medium	Access Control	Query details Documentation
Role Assignment Not Limit Guest User Permissions ^{_{8e75e431-449f-49e9-b56a-c8f1378025cf}}	Medium	Access Control	Query details Documentation
Role Definition Allows Custom Role Creation ^{_{3fa5900f-9aac-4982-96b2-a6143d9c99fb}}	Medium	Access Control	Query details Documentation
Storage Share File Allows All ACL Permissions ^{_{48bbe0fd-57e4-4678-a4a1-119e79c90fc3}}	Medium	Access Control	Query details Documentation
Storage Table Allows All ACL Permissions ^{_{3ac3e75c-6374-4a32-8ba0-6ed69bda404e}}	Medium	Access Control	Query details Documentation
Azure Instance Using Basic Authentication ^{_{dafe30ec-325d-4516-85d1-e8e6776f012c}}	Medium	Best Practices	Query details Documentation
Key Vault Secrets Content Type Undefined ^{_{f8e08a38-fc6e-4915-abbe-a7aadf1d59ef}}	Medium	Best Practices	Query details Documentation
Security Contact Email ^{_{34664094-59e0-4524-b69f-deaa1a68cce3}}	Medium	Best Practices	Query details Documentation
App Service Not Using Latest TLS Encryption Version ^{_{b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643}}	Medium	Encryption	Query details Documentation
Encryption On Managed Disk Disabled ^{_{a99130ab-4c0e-43aa-97f8-78d4fcb30024}}	Medium	Encryption	Query details Documentation
Function App Not Using Latest TLS Encryption Version ^{_{45fc717a-bd86-415c-bdd8-677901be1aa6}}	Medium	Encryption	Query details Documentation
MySQL SSL Connection Disabled ^{_{73e42469-3a86-4f39-ad78-098f325b4e9f}}	Medium	Encryption	Query details Documentation
SSL Enforce Disabled ^{_{0437633b-daa6-4bbc-8526-c0d2443b946e}}	Medium	Encryption	Query details Documentation
Storage Account Not Forcing HTTPS ^{_{12944ec4-1fa0-47be-8b17-42a034f937c2}}	Medium	Encryption	Query details Documentation
Storage Account Not Using Latest TLS Encryption Version ^{_{8263f146-5e03-43e0-9cfe-db960d56d1e7}}	Medium	Encryption	Query details Documentation
AD Admin Not Configured For SQL Server ^{_{a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b}}	Medium	Insecure Configurations	Query details Documentation
AKS Private Cluster Disabled ^{_{599318f2-6653-4569-9e21-041d06c63a89}}	Medium	Insecure Configurations	Query details Documentation
App Service FTPS Enforce Disabled ^{_{85da374f-b00f-4832-9d44-84a1ca1e89f8}}	Medium	Insecure Configurations	Query details Documentation
App Service HTTP2 Disabled ^{_{525b53be-62ed-4244-b4df-41aecfcb4071}}	Medium	Insecure Configurations	Query details Documentation
Azure App Service Client Certificate Disabled ^{_{a81573f9-3691-4d83-88a0-7d4af63e17a3}}	Medium	Insecure Configurations	Query details Documentation
Function App Client Certificates Unrequired ^{_{9bb3c639-5edf-458c-8ee5-30c17c7d671d}}	Medium	Insecure Configurations	Query details Documentation
Function App FTPS Enforce Disabled ^{_{9dab0179-433d-4dff-af8f-0091025691df}}	Medium	Insecure Configurations	Query details Documentation
Function App HTTP2 Disabled ^{_{ace823d1-4432-4dee-945b-cdf11a5a6bd0}}	Medium	Insecure Configurations	Query details Documentation
Function App Managed Identity Disabled ^{_{c87749b3-ff10-41f5-9df2-c421e8151759}}	Medium	Insecure Configurations	Query details Documentation
Network Watcher Flow Disabled ^{_{b90842e5-6779-44d4-9760-972f4c03ba1c}}	Medium	Insecure Configurations	Query details Documentation
Redis Cache Allows Non SSL Connections ^{_{e29a75e6-aba3-4896-b42d-b87818c16b58}}	Medium	Insecure Configurations	Query details Documentation
Redis Not Updated Regularly ^{_{b947809d-dd2f-4de9-b724-04d101c515aa}}	Medium	Insecure Configurations	Query details Documentation
Security Center Pricing Tier Is Not Standard ^{_{819d50fd-1cdf-45c3-9936-be408aaad93e}}	Medium	Insecure Configurations	Query details Documentation
Small Flow Logs Retention Period ^{_{7750fcca-dd03-4d38-b663-4b70289bcfd4}}	Medium	Insecure Configurations	Query details Documentation
VM Not Attached To Network ^{_{bbf6b3df-4b65-4f87-82cc-da9f30f8c033}}	Medium	Insecure Configurations	Query details Documentation
Web App Accepting Traffic Other Than HTTPS ^{_{11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe}}	Medium	Insecure Configurations	Query details Documentation
Default Azure Storage Account Network Access Is Too Permissive ^{_{a5613650-32ec-4975-a305-31af783153ea}}	Medium	Insecure Defaults	Query details Documentation
Azure Cognitive Search Public Network Access Enabled ^{_{4a9e0f00-0765-4f72-a0d4-d31110b78279}}	Medium	Networking and Firewall	Query details Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache ^{_{a829b715-cf75-4e92-b645-54c9b739edfb}}	Medium	Networking and Firewall	Query details Documentation
Network Interfaces IP Forwarding Enabled ^{_{4216ebac-d74c-4423-b437-35025cb88af5}}	Medium	Networking and Firewall	Query details Documentation
Network Interfaces With Public IP ^{_{c1573577-e494-4417-8854-7e119368dc8b}}	Medium	Networking and Firewall	Query details Documentation
Sensitive Port Is Exposed To Small Public Network ^{_{e9dee01f-2505-4df2-b9bf-7804d1fd9082}}	Medium	Networking and Firewall	Query details Documentation
SSH Is Exposed To The Internet ^{_{3e3c175e-aadf-4e2b-a464-3fdac5748d24}}	Medium	Networking and Firewall	Query details Documentation
Trusted Microsoft Services Not Enabled ^{_{5400f379-a347-4bdd-a032-446465fdcc6f}}	Medium	Networking and Firewall	Query details Documentation
WAF Is Disabled For Azure Application Gateway ^{_{2e48d91c-50e4-45c8-9312-27b625868a72}}	Medium	Networking and Firewall	Query details Documentation
Email Alerts Disabled ^{_{9db38e87-f6aa-4b5e-a1ec-7266df259409}}	Medium	Observability	Query details Documentation
Log Retention Is Not Set ^{_{ffb02aca-0d12-475e-b77c-a726f7aeff4b}}	Medium	Observability	Query details Documentation
MSSQL Server Auditing Disabled ^{_{609839ae-bd81-4375-9910-5bce72ae7b92}}	Medium	Observability	Query details Documentation
PostgreSQL Log Checkpoints Disabled ^{_{3790d386-be81-4dcf-9850-eaa7df6c10d9}}	Medium	Observability	Query details Documentation
PostgreSQL Log Connections Not Set ^{_{c640d783-10c5-4071-b6c1-23507300d333}}	Medium	Observability	Query details Documentation
PostgreSQL Log Disconnections Not Set ^{_{07f7134f-9f37-476e-8664-670c218e4702}}	Medium	Observability	Query details Documentation
PostgreSQL Log Duration Not Set ^{_{16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f}}	Medium	Observability	Query details Documentation
PostgreSQL Server Without Connection Throttling ^{_{2b3c671f-1b76-4741-8789-ed1fe0785dc4}}	Medium	Observability	Query details Documentation
SQL Server Auditing Disabled ^{_{f7e296b0-6660-4bc5-8f87-22ac4a815edf}}	Medium	Observability	Query details Documentation
Vault Auditing Disabled ^{_{38c71c00-c177-4cd7-8d36-cd1007cdb190}}	Medium	Observability	Query details Documentation
PostgreSQL Server Threat Detection Policy Disabled ^{_{c407c3cf-c409-4b29-b590-db5f4138d332}}	Medium	Resource Management	Query details Documentation
SQL Database Audit Disabled ^{_{83a229ba-483e-47c6-8db7-dc96969bce5a}}	Medium	Resource Management	Query details Documentation
Key Expiration Not Set ^{_{4d080822-5ee2-49a4-8984-68f3d4c890fc}}	Medium	Secret Management	Query details Documentation
Secret Expiration Not Set ^{_{dfa20ffa-f476-428f-a490-424b41e91c7f}}	Medium	Secret Management	Query details Documentation
Azure Active Directory Authentication ^{_{a21c8da9-41bf-40cf-941d-330cf0d11fc7}}	Low	Access Control	Query details Documentation
Virtual Network with DDoS Protection Plan disabled ^{_{b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a}}	Low	Availability	Query details Documentation
Geo Redundancy Is Disabled ^{_{8b042c30-e441-453f-b162-7696982ebc58}}	Low	Backup	Query details Documentation
MariaDB Server Geo-redundant Backup Disabled ^{_{0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1}}	Low	Backup	Query details Documentation
AKS Uses Azure Policies Add-On Disabled ^{_{43789711-161b-4708-b5bb-9d1c626f7492}}	Low	Best Practices	Query details Documentation
App Service Without Latest PHP Version ^{_{96fe318e-d631-4156-99fa-9080d57280ae}}	Low	Best Practices	Query details Documentation
App Service Without Latest Python Version ^{_{cc4aaa9d-1070-461a-b519-04e00f42db8a}}	Low	Best Practices	Query details Documentation
SQL Server Predictable Active Directory Account Name ^{_{bcd3fc01-5902-4f2a-b05a-227f9bbf5450}}	Low	Best Practices	Query details Documentation
SQL Server Predictable Admin Account Name ^{_{2ab6de9a-0136-415c-be92-79d2e4fd750f}}	Low	Best Practices	Query details Documentation
Cosmos DB Account Without Tags ^{_{56dad03e-e94f-4dd6-93a4-c253a03ff7a0}}	Low	Build Process	Query details Documentation
AKS Disk Encryption Set ID Undefined ^{_{b17d8bb8-4c08-4785-867e-cb9e62a622aa}}	Low	Encryption	Query details Documentation
PostgreSQL Server Infrastructure Encryption Disabled ^{_{6425c98b-ca4e-41fe-896a-c78772c131f8}}	Low	Encryption	Query details Documentation
AKS Network Policy Misconfigured ^{_{f5342045-b935-402d-adf1-8dbbd09c0eef}}	Low	Insecure Configurations	Query details Documentation
Dashboard Is Enabled ^{_{61c3cb8b-0715-47e4-b788-86dde40dd2db}}	Low	Insecure Configurations	Query details Documentation
Azure Front Door WAF Disabled ^{_{835a4f2f-df43-437d-9943-545ccfc55961}}	Low	Networking and Firewall	Query details Documentation
Sensitive Port Is Exposed To Wide Private Network ^{_{c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e}}	Low	Networking and Firewall	Query details Documentation
Small Activity Log Retention Period ^{_{2b856bf9-8e8c-4005-875f-303a8cba3918}}	Low	Observability	Query details Documentation
Small MSSQL Audit Retention Period ^{_{9c301481-e6ec-44f7-8a49-8ec63e2969ea}}	Low	Observability	Query details Documentation
Small MSSQL Server Audit Retention ^{_{59acb56b-2b10-4c2c-ba38-f2223c3f5cfc}}	Low	Observability	Query details Documentation
Small PostgreSQL DB Server Log Retention Period ^{_{261a83f8-dd72-4e8c-b5e1-ebf06e8fe606}}	Low	Observability	Query details Documentation
App Service Managed Identity Disabled ^{_{b61cce4b-0cc4-472b-8096-15617a6d769b}}	Low	Resource Management	Query details Documentation
SQL Server Alert Email Disabled ^{_{55975007-f6e7-4134-83c3-298f1fe4b519}}	Info	Best Practices	Query details Documentation

DATABRICKS¶

Below are listed queries related to Terraform DATABRICKS:

Query	Severity	Category	More info
Beta - Databricks Cluster or Job With None Or Insecure Permission(s) ^{_{a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5}}	High	Insecure Configurations	Query details Documentation
Beta - Unrestricted Databricks ACL ^{_{2c4fe4a9-f44b-4c70-b09b-5b75cd251805}}	High	Networking and Firewall	Query details Documentation
Beta - Job's Task is Legacy (spark_submit_task) ^{_{375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7}}	Medium	Best Practices	Query details Documentation
Beta - Indefinitely Databricks OBO Token Lifetime ^{_{23e1f5f0-12b7-4d7e-9087-f60f42ccd514}}	Medium	Insecure Defaults	Query details Documentation
Beta - Indefinitely Databricks Token Lifetime ^{_{7d05ca25-91b4-42ee-b6f6-b06611a87ce8}}	Medium	Insecure Defaults	Query details Documentation
Beta - Databricks Autoscale Badly Setup ^{_{953c0cc6-5f30-44cb-a803-bf4ef2571be8}}	Medium	Resource Management	Query details Documentation
Beta - Databricks Group Without User Or Instance Profile ^{_{23c3067a-8cc9-480c-b645-7c1e0ad4bf60}}	Low	Access Control	Query details Documentation
Beta - Check Databricks Cluster AWS Attribute Best Practices ^{_{b0749c53-e3ff-4d09-bbe4-dca94e2e7a38}}	Low	Best Practices	Query details Documentation
Beta - Check Databricks Cluster Azure Attribute Best Practices ^{_{38028698-e663-4ef7-aa92-773fef0ca86f}}	Low	Best Practices	Query details Documentation
Beta - Check Databricks Cluster GCP Attribute Best Practices ^{_{539e4557-d2b5-4d57-a001-cb01140a4e2d}}	Low	Best Practices	Query details Documentation
Beta - Check use no LTS Spark Version ^{_{5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6}}	Low	Best Practices	Query details Documentation

GCP¶

Below are listed queries related to Terraform GCP:

Query	Severity	Category	More info
Cloud Storage Anonymous or Publicly Accessible ^{_{a6cd52a1-3056-4910-96a5-894de9f3f3b3}}	Critical	Access Control	Query details Documentation
SQL DB Instance Publicly Accessible ^{_{b187edca-b81e-4fdc-aff4-aab57db45edb}}	Critical	Insecure Configurations	Query details Documentation
BigQuery Dataset Is Public ^{_{e576ce44-dd03-4022-a8c0-3906acca2ab4}}	High	Access Control	Query details Documentation
Google Project IAM Binding Service Account has Token Creator or Account User Role ^{_{617ef6ff-711e-4bd7-94ae-e965911b1b40}}	High	Access Control	Query details Documentation
Google Project IAM Member Service Account Has Admin Role ^{_{84d36481-fd63-48cb-838e-635c44806ec2}}	High	Access Control	Query details Documentation
Google Project IAM Member Service Account has Token Creator or Account User Role ^{_{c68b4e6d-4e01-4ca1-b256-1e18e875785c}}	High	Access Control	Query details Documentation
KMS Crypto Key is Publicly Accessible ^{_{16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5}}	High	Encryption	Query details Documentation
SQL DB Instance With SSL Disabled ^{_{02474449-71aa-40a1-87ae-e14497747b00}}	High	Encryption	Query details Documentation
GKE Legacy Authorization Enabled ^{_{5baa92d2-d8ee-4c75-88a4-52d9d8bb8067}}	High	Insecure Configurations	Query details Documentation
Google Storage Bucket Level Access Disabled ^{_{bb0db090-5509-4853-a827-75ced0b3caa0}}	High	Insecure Configurations	Query details Documentation
RDP Access Is Not Restricted ^{_{678fd659-96f2-454a-a2a0-c2571f83a4a3}}	High	Networking and Firewall	Query details Documentation
Cloud Storage Bucket Is Publicly Accessible ^{_{c010082c-76e0-4b91-91d9-6e8439e455dd}}	Medium	Access Control	Query details Documentation
KMS Admin and CryptoKey Roles In Use ^{_{92e4464a-4139-4d57-8742-b5acc0347680}}	Medium	Access Control	Query details Documentation
OSLogin Disabled ^{_{32ecd6eb-0711-421f-9627-1a28d9eff217}}	Medium	Access Control	Query details Documentation
VM With Full Cloud Access ^{_{bc280331-27b9-4acb-a010-018e8098aa5d}}	Medium	Access Control	Query details Documentation
SQL DB Instance Backup Disabled ^{_{cf3c7631-cd1e-42f3-8801-a561214a6e79}}	Medium	Backup	Query details Documentation
Disk Encryption Disabled ^{_{b1d51728-7270-4991-ac2f-fc26e2695b38}}	Medium	Encryption	Query details Documentation
DNSSEC Using RSASHA1 ^{_{ccc3100c-0fdd-4a5e-9908-c10107291860}}	Medium	Encryption	Query details Documentation
Google Compute SSL Policy Weak Cipher In Use ^{_{14a457f0-473d-4d1d-9e37-6d99b355b336}}	Medium	Encryption	Query details Documentation
Cloud DNS Without DNSSEC ^{_{5ef61c88-bbb4-4725-b1df-55d23c9676bb}}	Medium	Insecure Configurations	Query details Documentation
Google Container Node Pool Auto Repair Disabled ^{_{acfdbec6-4a17-471f-b412-169d77553332}}	Medium	Insecure Configurations	Query details Documentation
Google Project Auto Create Network Disabled ^{_{59571246-3f62-4965-a96f-c7d97e269351}}	Medium	Insecure Configurations	Query details Documentation
IP Aliasing Disabled ^{_{c606ba1d-d736-43eb-ac24-e16108f3a9e0}}	Medium	Insecure Configurations	Query details Documentation
Network Policy Disabled ^{_{11e7550e-c4b6-472e-adff-c698f157cdd7}}	Medium	Insecure Configurations	Query details Documentation
OSLogin Is Disabled For VM Instance ^{_{d0b4d550-c001-46c3-bbdb-d5d75d33f05f}}	Medium	Insecure Configurations	Query details Documentation
Pod Security Policy Disabled ^{_{9192e0f9-eca5-4056-9282-ae2a736a4088}}	Medium	Insecure Configurations	Query details Documentation
Private Cluster Disabled ^{_{6ccb85d7-0420-4907-9380-50313f80946b}}	Medium	Insecure Configurations	Query details Documentation
Shielded GKE Nodes Disabled ^{_{579a0727-9c29-4d58-8195-fc5802a8bdb4}}	Medium	Insecure Configurations	Query details Documentation
Shielded VM Disabled ^{_{1b44e234-3d73-41a8-9954-0b154135280e}}	Medium	Insecure Configurations	Query details Documentation
GKE Using Default Service Account ^{_{1c8eef02-17b1-4a3e-b01d-dcc3292d2c38}}	Medium	Insecure Defaults	Query details Documentation
Using Default Service Account ^{_{3cb4af0b-056d-4fb1-8b95-fdc4593625ff}}	Medium	Insecure Defaults	Query details Documentation
Google Compute Network Using Default Firewall Rule ^{_{40abce54-95b1-478c-8e5f-ea0bf0bb0e33}}	Medium	Networking and Firewall	Query details Documentation
Google Compute Network Using Firewall Rule that Allows All Ports ^{_{22ef1d26-80f8-4a6c-8c15-f35aab3cac78}}	Medium	Networking and Firewall	Query details Documentation
IP Forwarding Enabled ^{_{f34c0c25-47b4-41eb-9c79-249b4dd47b89}}	Medium	Networking and Firewall	Query details Documentation
Serial Ports Are Enabled For VM Instances ^{_{97fa667a-d05b-4f16-9071-58b939f34751}}	Medium	Networking and Firewall	Query details Documentation
SSH Access Is Not Restricted ^{_{c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0}}	Medium	Networking and Firewall	Query details Documentation
Cloud Storage Bucket Logging Not Enabled ^{_{d6cabc3a-d57e-48c2-b341-bf3dd4f4a120}}	Medium	Observability	Query details Documentation
Cloud Storage Bucket Versioning Disabled ^{_{e7e961ac-d17e-4413-84bc-8a1fbe242944}}	Medium	Observability	Query details Documentation
Google Compute Subnetwork Logging Disabled ^{_{40430747-442d-450a-a34f-dc57149f4609}}	Medium	Observability	Query details Documentation
Stackdriver Logging Disabled ^{_{4c7ebcb2-eae2-461e-bc83-456ee2d4f694}}	Medium	Observability	Query details Documentation
Stackdriver Monitoring Disabled ^{_{30e8dfd2-3591-4d19-8d11-79e93106c93d}}	Medium	Observability	Query details Documentation
Node Auto Upgrade Disabled ^{_{b139213e-7d24-49c2-8025-c18faa21ecaa}}	Medium	Resource Management	Query details Documentation
Service Account with Improper Privileges ^{_{cefdad16-0dd5-4ac5-8ed2-a37502c78672}}	Medium	Resource Management	Query details Documentation
High Google KMS Crypto Key Rotation Period ^{_{d8c57c4e-bf6f-4e32-a2bf-8643532de77b}}	Medium	Secret Management	Query details Documentation
Project-wide SSH Keys Are Enabled In VM Instances ^{_{3e4d5ce6-3280-4027-8010-c26eeea1ec01}}	Medium	Secret Management	Query details Documentation
User with IAM Role ^{_{704fcc44-a58f-4af5-82e2-93f2a58ef918}}	Low	Access Control	Query details Documentation
Outdated GKE Version ^{_{128df7ec-f185-48bc-8913-ce756a3ccb85}}	Low	Best Practices	Query details Documentation
Cluster Labels Disabled ^{_{65c1bc7a-4835-4ac4-a2b6-13d310b0648d}}	Low	Insecure Configurations	Query details Documentation
COS Node Image Not Used ^{_{8a893e46-e267-485a-8690-51f39951de58}}	Low	Insecure Configurations	Query details Documentation
Legacy Client Certificate Auth Enabled ^{_{73fb21a1-b19a-45b1-b648-b47b1678681e}}	Low	Insecure Configurations	Query details Documentation
Not Proper Email Account In Use ^{_{9356962e-4a4f-4d06-ac59-dc8008775eaa}}	Low	Insecure Configurations	Query details Documentation
Google Compute Network Using Firewall Rule that Allows Port Range ^{_{e6f61c37-106b-449f-a5bb-81bfcaceb8b4}}	Low	Networking and Firewall	Query details Documentation
Google Compute Subnetwork with Private Google Access Disabled ^{_{ee7b93c1-b3f8-4a3b-9588-146d481814f5}}	Low	Networking and Firewall	Query details Documentation
IAM Audit Not Properly Configured ^{_{89fe890f-b480-460c-8b6b-7d8b1468adb4}}	Low	Observability	Query details Documentation

GCP_BOM¶

Below are listed queries related to Terraform GCP_BOM:

Query	Severity	Category	More info
BOM - GCP Dataflow ^{_{895ed0d9-6fec-4567-8614-d7a74b599a53}}	Trace	Bill Of Materials	Query details Documentation
BOM - GCP FI ^{_{c9d81239-c818-4869-9917-1570c62b81fd}}	Trace	Bill Of Materials	Query details Documentation
BOM - GCP PD ^{_{dd7d70aa-a6ec-460d-b5d2-38b40253b16f}}	Trace	Bill Of Materials	Query details Documentation
BOM - GCP PST ^{_{4b82202a-b18e-4891-a1eb-a0989850bbb3}}	Trace	Bill Of Materials	Query details Documentation
BOM - GCP Redis ^{_{bc75ce52-a60a-4660-b533-bce837a5019b}}	Trace	Bill Of Materials	Query details Documentation
BOM - GCP SB ^{_{2f06d22c-56bd-4f73-8a51-db001fcf2150}}	Trace	Bill Of Materials	Query details Documentation

GITHUB¶

Below are listed queries related to Terraform GITHUB:

Query	Severity	Category	More info
Github Organization Webhook With SSL Disabled ^{_{ce7c874e-1b88-450b-a5e4-cb76ada3c8a9}}	Medium	Encryption	Query details Documentation
GitHub Repository Set To Public ^{_{15d8a7fd-465a-4d15-a868-add86552f17b}}	Medium	Insecure Configurations	Query details Documentation

KUBERNETES¶

Below are listed queries related to Terraform KUBERNETES:

Query	Severity	Category	More info
Non Kube System Pod With Host Mount ^{_{86a947ea-f577-4efb-a8b0-5fc00257d521}}	High	Access Control	Query details Documentation
Cluster Allows Unsafe Sysctls ^{_{a9174d31-d526-4ad9-ace4-ce7ddbf52e03}}	High	Insecure Configurations	Query details Documentation
Container Is Privileged ^{_{87065ef8-de9b-40d8-9753-f4a4303e27a4}}	High	Insecure Configurations	Query details Documentation
Container Runs Unmasked ^{_{0ad60203-c050-4115-83b6-b94bde92541d}}	High	Insecure Configurations	Query details Documentation
Containers With Sys Admin Capabilities ^{_{3f55386d-75cd-4e9a-ac47-167b26c04724}}	High	Insecure Configurations	Query details Documentation
Privilege Escalation Allowed ^{_{c878abb4-cca5-4724-92b9-289be68bd47c}}	High	Insecure Configurations	Query details Documentation
PSP Allows Containers To Share The Host Network Namespace ^{_{4950837c-0ce5-4e42-9bee-a25eae73740b}}	High	Insecure Configurations	Query details Documentation
PSP Allows Privilege Escalation ^{_{2bff9906-4e9b-4f71-9346-8ebedfdf43ef}}	High	Insecure Configurations	Query details Documentation
PSP Allows Sharing Host IPC ^{_{51bed0ac-a8ae-407a-895e-90c6cb0610ce}}	High	Insecure Configurations	Query details Documentation
PSP Set To Privileged ^{_{a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9}}	High	Insecure Configurations	Query details Documentation
PSP With Added Capabilities ^{_{48388bd2-7201-4dcc-b56d-e8a9efa58fad}}	High	Insecure Configurations	Query details Documentation
Tiller (Helm v2) Is Deployed ^{_{ca2fba76-c1a7-4afd-be67-5249f861cb0e}}	High	Insecure Configurations	Query details Documentation
Workload Mounting With Sensitive OS Directory ^{_{a737be28-37d8-4bff-aa6d-1be8aa0a0015}}	High	Insecure Configurations	Query details Documentation
Volume Mount With OS Directory Write Permissions ^{_{a62a99d1-8196-432f-8f80-3c100b05d62a}}	High	Resource Management	Query details Documentation
Docker Daemon Socket is Exposed to Containers ^{_{4e203a65-c8d8-49a2-b749-b124d43c9dc1}}	Medium	Access Control	Query details Documentation
Missing App Armor Config ^{_{bd6bd46c-57db-4887-956d-d372f21291b6}}	Medium	Access Control	Query details Documentation
Permissive Access to Create Pods ^{_{522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba}}	Medium	Access Control	Query details Documentation
RBAC Roles with Read Secrets Permissions ^{_{826abb30-3cd5-4e0b-a93b-67729b4f7e63}}	Medium	Access Control	Query details Documentation
Readiness Probe Is Not Configured ^{_{8657197e-3f87-4694-892b-8144701d83c1}}	Medium	Availability	Query details Documentation
Root Containers Admitted ^{_{4c415497-7410-4559-90e8-f2c8ac64ee38}}	Medium	Best Practices	Query details Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce ^{_{26b047a9-0329-48fd-8fb7-05bbe5ba80ee}}	Medium	Build Process	Query details Documentation
Container Host Pid Is True ^{_{587d5d82-70cf-449b-9817-f60f9bccb88c}}	Medium	Insecure Configurations	Query details Documentation
Container Resources Limits Undefined ^{_{60af03ff-a421-45c8-b214-6741035476fa}}	Medium	Insecure Configurations	Query details Documentation
Containers With Added Capabilities ^{_{fe771ff7-ba15-4f8f-ad7a-8aa232b49a28}}	Medium	Insecure Configurations	Query details Documentation
Ingress Controller Exposes Workload ^{_{e2c83c1f-84d7-4467-966c-ed41fd015bb9}}	Medium	Insecure Configurations	Query details Documentation
NET_RAW Capabilities Disabled for PSP ^{_{9aa32890-ac1a-45ee-81ca-5164e2098556}}	Medium	Insecure Configurations	Query details Documentation
NET_RAW Capabilities Not Being Dropped ^{_{e5587d53-a673-4a6b-b3f2-ba07ec274def}}	Medium	Insecure Configurations	Query details Documentation
Seccomp Profile Is Not Configured ^{_{455f2e0c-686d-4fcb-8b5f-3f953f12c43c}}	Medium	Insecure Configurations	Query details Documentation
Role Binding To Default Service Account ^{_{3360c01e-c8c0-4812-96a2-a6329b9b7f9f}}	Medium	Insecure Defaults	Query details Documentation
Service Account Name Undefined Or Empty ^{_{24b132df-5cc7-4823-8029-f898e1c50b72}}	Medium	Insecure Defaults	Query details Documentation
Service Account Token Automount Not Disabled ^{_{a9a13d4f-f17a-491b-b074-f54bffffcb4a}}	Medium	Insecure Defaults	Query details Documentation
Service With External Load Balancer ^{_{2a52567c-abb8-4651-a038-52fa27c77aed}}	Medium	Networking and Firewall	Query details Documentation
Memory Limits Not Defined ^{_{fd097ed0-7fe6-4f58-8b71-fef9f0820a21}}	Medium	Resource Management	Query details Documentation
Memory Requests Not Defined ^{_{21719347-d02b-497d-bda4-04a03c8e5b61}}	Medium	Resource Management	Query details Documentation
Shared Host IPC Namespace ^{_{e94d3121-c2d1-4e34-a295-139bfeb73ea3}}	Medium	Resource Management	Query details Documentation
Shared Host Network Namespace ^{_{ac1564a3-c324-4747-9fa1-9dfc234dace0}}	Medium	Resource Management	Query details Documentation
Service Account Allows Access Secrets ^{_{07fc3413-e572-42f7-9877-5c8fc6fccfb5}}	Medium	Secret Management	Query details Documentation
Shared Service Account ^{_{f74b9c43-161a-4799-bc95-0b0ec81801b9}}	Medium	Secret Management	Query details Documentation
Cluster Admin Rolebinding With Superuser Permissions ^{_{17172bc2-56fb-4f17-916f-a014147706cd}}	Low	Access Control	Query details Documentation
Deployment Without PodDisruptionBudget ^{_{a05331ee-1653-45cb-91e6-13637a76e4f0}}	Low	Availability	Query details Documentation
HPA Targets Invalid Object ^{_{17e52ca3-ddd0-4610-9d56-ce107442e110}}	Low	Availability	Query details Documentation
StatefulSet Without PodDisruptionBudget ^{_{7249e3b0-9231-4af3-bc5f-5daf4988ecbf}}	Low	Availability	Query details Documentation
StatefulSet Without Service Name ^{_{420e6360-47bb-46f6-9072-b20ed22c842d}}	Low	Availability	Query details Documentation
Metadata Label Is Invalid ^{_{bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e}}	Low	Best Practices	Query details Documentation
No Drop Capabilities for Containers ^{_{21cef75f-289f-470e-8038-c7cee0664164}}	Low	Best Practices	Query details Documentation
Root Container Not Mounted As Read-only ^{_{d532566b-8d9d-4f3b-80bd-361fe802f9c2}}	Low	Build Process	Query details Documentation
StatefulSet Requests Storage ^{_{fcc2612a-1dfe-46e4-8ce6-0320959f0040}}	Low	Build Process	Query details Documentation
Default Service Account In Use ^{_{737a0dd9-0aaa-4145-8118-f01778262b8a}}	Low	Insecure Configurations	Query details Documentation
Image Pull Policy Of The Container Is Not Set To Always ^{_{aa737abf-6b1d-4aba-95aa-5c160bd7f96e}}	Low	Insecure Configurations	Query details Documentation
Image Without Digest ^{_{228c4c19-feeb-4c18-848c-800ac70fdfb7}}	Low	Insecure Configurations	Query details Documentation
Pod or Container Without Security Context ^{_{ad69e38a-d92e-4357-a8da-f2f29d545883}}	Low	Insecure Configurations	Query details Documentation
Using Default Namespace ^{_{abcb818b-5af7-4d72-aba9-6dd84956b451}}	Low	Insecure Configurations	Query details Documentation
Network Policy Is Not Targeting Any Pod ^{_{b80b14c6-aaa2-4876-b651-8a48b6c32fbf}}	Low	Networking and Firewall	Query details Documentation
Service Type is NodePort ^{_{5c281bf8-d9bb-47f2-b909-3f6bb11874ad}}	Low	Networking and Firewall	Query details Documentation
Workload Host Port Not Specified ^{_{4e74cf4f-ff65-4c1a-885c-67ab608206ce}}	Low	Networking and Firewall	Query details Documentation
CPU Limits Not Set ^{_{5f4735ce-b9ba-4d95-a089-a37a767b716f}}	Low	Resource Management	Query details Documentation
CPU Requests Not Set ^{_{577ac19c-6a77-46d7-9f14-e049cdd15ec2}}	Low	Resource Management	Query details Documentation
CronJob Deadline Not Configured ^{_{58876b44-a690-4e9f-9214-7735fa0dd15d}}	Low	Resource Management	Query details Documentation
Deployment Has No PodAntiAffinity ^{_{461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3}}	Low	Resource Management	Query details Documentation
Secrets As Environment Variables ^{_{6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8}}	Low	Secret Management	Query details Documentation
Invalid Image ^{_{e76cca7c-c3f9-4fc9-884c-b2831168ebd8}}	Low	Supply-Chain	Query details Documentation
Liveness Probe Is Not Defined ^{_{5b6d53dd-3ba3-4269-b4d7-f82e880e43c3}}	Info	Availability	Query details Documentation

NIFCLOUD¶

Below are listed queries related to Terraform NIFCLOUD:

Query	Severity	Category	More info
Nifcloud RDB Has Public DB Access ^{_{fb387023-e4bb-42a8-9a70-6708aa7ff21b}}	High	Access Control	Query details Documentation
Nifcloud Computing Has Public Ingress Security Group Rule ^{_{b2ea2367-8dc9-4231-a035-d0b28bfa3dde}}	High	Networking and Firewall	Query details Documentation
Nifcloud Computing Undefined Security Group To Instance ^{_{89218b48-75c9-4cb3-aaba-5299e852e8bc}}	High	Networking and Firewall	Query details Documentation
Nifcloud NAS Has Public Ingress NAS Security Group Rule ^{_{8d7758a7-d9cd-499a-a83e-c9bdcbff728d}}	High	Networking and Firewall	Query details Documentation
Nifcloud RDB Has Public DB Ingress Security Group Rule ^{_{a0b846e8-815f-4f15-b660-bc4ab9fa1e1a}}	High	Networking and Firewall	Query details Documentation
Nifcloud Router Undefined Security Group ^{_{e7dada38-af20-4899-8955-dabea84ab1f0}}	High	Networking and Firewall	Query details Documentation
Nifcloud VPN Gateway Undefined Security Group ^{_{b3535a48-910c-47f8-8b3b-14222f29ef80}}	High	Networking and Firewall	Query details Documentation
Nifcloud LB Using Insecure TLS Policy ID ^{_{944439c7-b4b8-476a-8f83-14641ea876ba}}	Medium	Encryption	Query details Documentation
Nifcloud LB Using Insecure TLS Policy Name ^{_{675e8eaa-2754-42b7-bf33-bfa295d1601d}}	Medium	Encryption	Query details Documentation
Nifcloud ELB Listener Using HTTP Protocol ^{_{afcb0771-4f94-44ed-ad4a-9f73f11ce6e0}}	Medium	Networking and Firewall	Query details Documentation
Nifcloud ELB Using HTTP Protocol ^{_{e2de2b80-2fc2-4502-a764-40930dfcc70a}}	Medium	Networking and Firewall	Query details Documentation
Nifcloud LB Listener Using HTTP Port ^{_{9f751a80-31f0-43a3-926c-20772791a038}}	Medium	Networking and Firewall	Query details Documentation
Nifcloud LB Using HTTP Port ^{_{94e47f3f-b90b-43a1-a36d-521580bae863}}	Medium	Networking and Firewall	Query details Documentation
Nifcloud Low RDB Backup Retention Period ^{_{e5071f76-cbe7-468d-bb2b-d10f02d2b713}}	Low	Backup	Query details Documentation
Nifcloud DNS Has Verified Record ^{_{a1defcb6-55e8-4511-8c2a-30b615b0e057}}	Low	Insecure Configurations	Query details Documentation
Nifcloud Computing Has Common Private Network ^{_{df58dd45-8009-43c2-90f7-c90eb9d53ed9}}	Low	Networking and Firewall	Query details Documentation
Nifcloud ELB Has Common Private Network ^{_{5061f84c-ab66-4660-90b9-680c9df346c0}}	Low	Networking and Firewall	Query details Documentation
Nifcloud NAS Has Common Private Network ^{_{4b801c38-ebb4-4c81-984b-1ba525d43adf}}	Low	Networking and Firewall	Query details Documentation
Nifcloud RDB Has Common Private Network ^{_{9bf57c23-fbab-4222-85f3-3f207a53c6a8}}	Low	Networking and Firewall	Query details Documentation
Nifcloud Router Has Common Private Network ^{_{30c2760c-740e-4672-9d7f-2c29e0cb385d}}	Low	Networking and Firewall	Query details Documentation
Nifcloud Computing Undefined Description To Security Group ^{_{41c127a9-3a85-4bc3-a333-ed374eb9c3e4}}	Info	Best Practices	Query details Documentation
Nifcloud Computing Undefined Description To Security Group Rule ^{_{e4610872-0b1c-4fb7-ab57-d81c0afdb291}}	Info	Best Practices	Query details Documentation
Nifcloud NAS Undefined Description To NAS Security Group ^{_{e840c54a-7a4c-405f-b8c1-c49a54b87d11}}	Info	Best Practices	Query details Documentation
Nifcloud RDB Undefined Description To DB Security Group ^{_{940ddce2-26bd-4e31-a9b4-382714f73231}}	Info	Best Practices	Query details Documentation

SHARED (V2/V3)¶

Below are listed queries related to Terraform SHARED (V2/V3):

Query	Severity	Category	More info
Generic Git Module Without Revision ^{_{3a81fc06-566f-492a-91dd-7448e409e2cd}}	Info	Best Practices	Query details Documentation
Name Is Not Snake Case ^{_{1e434b25-8763-4b00-a5ca-ca03b7abbb66}}	Info	Best Practices	Query details Documentation
Output Without Description ^{_{59312e8a-a64e-41e7-a252-618533dd1ea8}}	Info	Best Practices	Query details Documentation
Variable Without Description ^{_{2a153952-2544-4687-bcc9-cc8fea814a9b}}	Info	Best Practices	Query details Documentation
Variable Without Type ^{_{fc5109bf-01fd-49fb-8bde-4492b543c34a}}	Info	Best Practices	Query details Documentation

TENCENTCLOUD¶

Below are listed queries related to Terraform TENCENTCLOUD:

Query	Severity	Category	More info
Beta - CLB Listener Using Insecure Protocols ^{_{fe08b81c-12e9-4b5e-9006-4218fca750fd}}	High	Encryption	Query details Documentation
Beta - TKE Cluster Encryption Protection Disabled ^{_{3ed47402-e322-465f-a0f0-8681135a17b0}}	High	Encryption	Query details Documentation
Beta - CDB Instance Internet Service Enabled ^{_{5d820574-4a60-4916-b049-0810b8629731}}	High	Insecure Configurations	Query details Documentation
Beta - CVM Instance Has Public IP ^{_{a74b4602-a62c-4a02-956a-e19f86ea24b5}}	High	Networking and Firewall	Query details Documentation
Beta - Security Group Rule Set Accepts All Traffic ^{_{d135a36e-c474-452f-b891-76db1e6d1cd5}}	High	Networking and Firewall	Query details Documentation
Beta - CDB Instance Without Backup Policy ^{_{ca94be07-7de3-4ae7-85ef-67e0462ec694}}	Medium	Backup	Query details Documentation
Beta - CLB Instance Log Setting Disabled ^{_{ada01ed1-b10c-4f2a-b110-b20fa4f9baa6}}	Medium	Encryption	Query details Documentation
Beta - Disk Encryption Disabled ^{_{1ee0f202-31da-49ba-bbce-04a989912e4b}}	Medium	Encryption	Query details Documentation
Beta - TKE Cluster Has Public Access ^{_{df6928ed-02f4-421f-9a67-a529860dd7e7}}	Medium	Insecure Configurations	Query details Documentation
Beta - CVM Instance Using Default Security Group ^{_{93bb2065-63ec-45a2-a466-f106b56f2e32}}	Low	Access Control	Query details Documentation
Beta - CVM Instance Using User Data ^{_{5bb6fa08-5e84-4760-a54a-cdcd66626976}}	Low	Access Control	Query details Documentation
Beta - CDB Instance Internet Using Default Intranet Port ^{_{18d6aa4b-7570-4d95-9c75-90363ef1abd9}}	Low	Insecure Configurations	Query details Documentation
Beta - CVM Instance Using Default VPC ^{_{b4e75c5c-83d5-4568-90e3-57ed5ec4051b}}	Low	Networking and Firewall	Query details Documentation
Beta - TKE Cluster Log Agent Is Not Enabled ^{_{fe405074-7e18-40f9-9aef-024aa1d0a889}}	Low	Observability	Query details Documentation
Beta - VPC Flow Logs Disabled ^{_{a3240001-40db-47b7-abb9-2bcd6a04c430}}	Low	Observability	Query details Documentation
Beta - CVM Instance Disable Monitor Service ^{_{966ed4f7-b8a5-4e8d-b2bf-098657c98960}}	Info	Observability	Query details Documentation