From 38afb00d5abb087dd755c21b0bb11c52c8d8b944 Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Wed, 28 Feb 2024 08:46:39 +0000 Subject: [PATCH] docs(queries): update queries catalog --- docs/queries/all-queries.md | 3591 +++++++++-------- docs/queries/ansible-queries.md | 509 ++- .../2d55ef88-b616-4890-b822-47f280763e89.md | 55 - .../309edc5b-5a59-42b4-a357-d4d098311fd4.md | 2 +- .../c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md | 120 +- docs/queries/azureresourcemanager-queries.md | 88 +- .../7c25f361-7c66-44bf-9b69-022acd5eb4bd.md | 178 + docs/queries/buildah-queries.md | 6 +- docs/queries/cicd-queries.md | 14 +- .../20f14e1a-a899-4e79-9f09-b6a84cd4649b.md | 10 +- .../555ab8f9-2001-455e-a077-f2d0f41e2fb9.md | 5 +- .../62ff6823-927a-427f-acf9-f1ea2932d616.md | 42 +- docs/queries/cloudformation-queries.md | 575 +-- .../086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md | 2 +- .../0f04217d-488f-4e7a-bec8-f16159686cd6.md | 142 + .../0f139403-303f-467c-96bd-e717e6cfd62d.md | 80 + .../64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md | 2 +- .../7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md | 4 +- .../80d45af4-4920-4236-a56e-b7ef419d1941.md | 408 +- .../a25cd877-375c-4121-a640-730929936fac.md | 2 +- .../ab759fde-e1e8-4b0e-ad73-ba856e490ed8.md | 123 + .../dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md | 115 - .../edbd62d4-8700-41de-b000-b3cfebb5e996.md | 2 +- docs/queries/common-queries.md | 6 +- .../a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md | 59 +- docs/queries/crossplane-queries.md | 65 +- .../0c7a76d9-7dc5-499e-81ac-9245839177cb.md | 76 + docs/queries/dockercompose-queries.md | 46 +- .../4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md | 29 +- .../8c978947-0ff6-485c-b0c2-0bfca6026466.md | 91 + .../ce14a68b-1668-41a0-ab7d-facd9f784742.md | 102 - docs/queries/dockerfile-queries.md | 102 +- .../0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md | 4 +- .../41c195f4-fc31-4a5c-8a1b-90605538d49f.md | 8 +- .../68a51e22-ae5a-4d48-8e87-b01a323605c9.md | 8 +- .../6938958b-3f1a-451c-909b-baeee14bdc97.md | 8 +- .../9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md | 151 +- .../cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md | 4 +- .../f4a6bcd3-e231-4acf-993c-aa027be50d2e.md | 2 +- .../googledeploymentmanager-queries.md | 92 +- docs/queries/grpc-queries.md | 6 +- docs/queries/knative-queries.md | 6 +- docs/queries/kubernetes-queries.md | 296 +- .../13a49a2e-488e-4309-a7c0-d6b05577a5fb.md | 4 +- .../1a07a446-8e61-4e4d-bc16-b0781fcb8211.md | 8 +- .../1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md | 6 +- .../1de5cc51-f376-4638-a940-20f2e85ae238.md | 8 +- .../2940d48a-dc5e-4178-a3f8-bfbd80720b41.md | 8 +- .../510d5810-9a30-443a-817d-5c1fa527b110.md | 6 +- .../52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md | 4 +- .../5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md | 6 +- .../6cf42c97-facd-4fda-b8af-ea4529123355.md | 8 +- .../bf36b900-b5ef-4828-adb7-70eb543b7cfb.md | 6 +- .../e0e00aba-5f1c-4981-a542-9a9563c0ee20.md | 6 +- .../ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md | 4 +- .../f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md | 8 +- .../fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md | 2 +- docs/queries/openapi-queries.md | 566 +-- .../8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md | 272 ++ docs/queries/pulumi-queries.md | 81 +- .../327b0729-4c5c-4c44-8b5c-e476cd9c7290.md | 2 +- .../abcefee4-a0c1-4245-9f82-a473f79a9e2f.md | 78 + docs/queries/serverlessfw-queries.md | 24 +- docs/queries/terraform-queries.md | 1453 +++---- .../0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md | 31 + .../3deec14b-03d2-4d27-9670-7d79322e3340.md | 4 +- .../4728cd65-a20c-49da-8b31-9c08b423e4db.md | 2 +- .../4849211b-ac39-479e-ae78-5694d506cb24.md | 4 +- .../66f130d9-b81d-4e8e-9b08-da74b9c891df.md | 2 +- .../6726dcc0-5ff5-459d-b473-a780bef7665c.md | 2 +- .../741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md | 2 +- .../e08ed7eb-f3ef-494d-9d22-2e3db756a347.md | 2 +- .../e2de2b80-2fc2-4502-a764-40930dfcc70a.md | 2 +- .../1ee0f202-31da-49ba-bbce-04a989912e4b.md | 74 + 74 files changed, 5644 insertions(+), 4277 deletions(-) delete mode 100644 docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md create mode 100644 docs/queries/cloudformation-queries/aws/0f04217d-488f-4e7a-bec8-f16159686cd6.md create mode 100644 docs/queries/cloudformation-queries/aws/ab759fde-e1e8-4b0e-ad73-ba856e490ed8.md delete mode 100644 docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md create mode 100644 docs/queries/crossplane-queries/aws/0c7a76d9-7dc5-499e-81ac-9245839177cb.md create mode 100644 docs/queries/dockercompose-queries/8c978947-0ff6-485c-b0c2-0bfca6026466.md delete mode 100644 docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md create mode 100644 docs/queries/pulumi-queries/aws/abcefee4-a0c1-4245-9f82-a473f79a9e2f.md create mode 100644 docs/queries/terraform-queries/tencentcloud/1ee0f202-31da-49ba-bbce-04a989912e4b.md diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index ec5717f205c..2f11e6d00c9 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -1,1798 +1,1799 @@ ## Queries List This page contains all queries. -| Query |Platform|Severity|Category|Description|Help| -|-----------------------------|---|---|---|---|---| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
0f04217d-488f-4e7a-bec8-f16159686cd6|CloudFormation|Medium|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| -|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| -|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| -|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
ab759fde-e1e8-4b0e-ad73-ba856e490ed8|CloudFormation|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|CloudFormation|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Shared Volumes Between Containers
8c978947-0ff6-485c-b0c2-0bfca6026466|DockerCompose|Info|Insecure Configurations|Volumes shared between containers can cause data corruption or can be used to share malicious files between containers. (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
0c7a76d9-7dc5-499e-81ac-9245839177cb|Crossplane|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| -|Nifcloud DNS Has Verified Record
a1defcb6-55e8-4511-8c2a-30b615b0e057|Terraform|High|Insecure Configurations|Removing verified record of TXT auth the risk that If the authentication record remains, anyone can register the zone (read more)|Documentation
| -|Nifcloud ELB Listener Use HTTP Protocol
afcb0771-4f94-44ed-ad4a-9f73f11ce6e0|Terraform|High|Insecure Configurations|The elb listener use http protocol (read more)|Documentation
| -|Nifcloud LB Listener Use HTTP Port
9f751a80-31f0-43a3-926c-20772791a038|Terraform|High|Insecure Configurations|The lb listener use http port (read more)|Documentation
| -|Nifcloud LB Use Insecure TLS Policy ID
944439c7-b4b8-476a-8f83-14641ea876ba|Terraform|High|Insecure Configurations|The lb use insecure tls policy (read more)|Documentation
| -|Nifcloud LB Use HTTP Port
94e47f3f-b90b-43a1-a36d-521580bae863|Terraform|High|Insecure Configurations|The lb use http port (read more)|Documentation
| -|Nifcloud LB Use Insecure TLS Policy Name
675e8eaa-2754-42b7-bf33-bfa295d1601d|Terraform|High|Insecure Configurations|The lb use insecure tls policy (read more)|Documentation
| -|Nifcloud ELB Use HTTP Protocol
e2de2b80-2fc2-4502-a764-40930dfcc70a|Terraform|High|Insecure Configurations|The elb use http protocol (read more)|Documentation
| -|Nifcloud NAS Has Public Ingress NAS Security Group Rule
8d7758a7-d9cd-499a-a83e-c9bdcbff728d|Terraform|High|Networking and Firewall|An ingress nas security group rule allows traffic from /0 (read more)|Documentation
| -|Nifcloud Computing Undefined Security Group To Instance
89218b48-75c9-4cb3-aaba-5299e852e8bc|Terraform|High|Networking and Firewall|Missing security group for instance (read more)|Documentation
| -|Nifcloud Computing Has Public Ingress Security Group Rule
b2ea2367-8dc9-4231-a035-d0b28bfa3dde|Terraform|High|Networking and Firewall|An ingress security group rule allows traffic from /0 (read more)|Documentation
| -|Nifcloud Router Undefined Security Group To Router
e7dada38-af20-4899-8955-dabea84ab1f0|Terraform|High|Networking and Firewall|Missing security group for router (read more)|Documentation
| -|Nifcloud RDB Has Public DB Ingress Security Group Rule
a0b846e8-815f-4f15-b660-bc4ab9fa1e1a|Terraform|High|Networking and Firewall|An db ingress security group rule allows traffic from /0 (read more)|Documentation
| -|Nifcloud RDB Has Public DB Access
fb387023-e4bb-42a8-9a70-6708aa7ff21b|Terraform|High|Networking and Firewall|The rdb has public db access (read more)|Documentation
| -|Nifcloud Vpn Gateway Undefined Security Group To Vpn Gateway
b3535a48-910c-47f8-8b3b-14222f29ef80|Terraform|High|Networking and Firewall|Missing security group for vpn gateway (read more)|Documentation
| -|Nifcloud RDB Has Backup Retention Less Than 2 Day
e5071f76-cbe7-468d-bb2b-d10f02d2b713|Terraform|Medium|Backup|The rdb has backup retention less than 2 day (read more)|Documentation
| -|Nifcloud Router Has Common Private Network
30c2760c-740e-4672-9d7f-2c29e0cb385d|Terraform|Low|Networking and Firewall|The router has common private network (read more)|Documentation
| -|Nifcloud ELB Has Common Private Network
5061f84c-ab66-4660-90b9-680c9df346c0|Terraform|Low|Networking and Firewall|The elb has common private network (read more)|Documentation
| -|Nifcloud NAS Has Common Private Network
4b801c38-ebb4-4c81-984b-1ba525d43adf|Terraform|Low|Networking and Firewall|The nas has common private network (read more)|Documentation
| -|Nifcloud RDB Has Common Private Network
9bf57c23-fbab-4222-85f3-3f207a53c6a8|Terraform|Low|Networking and Firewall|The rdb has common private network (read more)|Documentation
| -|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Terraform|Low|Networking and Firewall|The instance has common private network (read more)|Documentation
| -|Nifcloud RDB Undefined Description To DB Security Group
940ddce2-26bd-4e31-a9b4-382714f73231|Terraform|Low|Networking and Firewall|Missing description for db security group (read more)|Documentation
| -|Nifcloud Computing Undefined Description To Security Group
41c127a9-3a85-4bc3-a333-ed374eb9c3e4|Terraform|Low|Networking and Firewall|Missing description for security group (read more)|Documentation
| -|Nifcloud Computing Undefined Description To Security Group Rule
e4610872-0b1c-4fb7-ab57-d81c0afdb291|Terraform|Low|Networking and Firewall|Missing description for security group rule (read more)|Documentation
| -|Nifcloud NAS Undefined Description To NAS Security Group
e840c54a-7a4c-405f-b8c1-c49a54b87d11|Terraform|Low|Networking and Firewall|Missing description for nas security group (read more)|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Medium|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| -|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|Terraform|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| -|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|Terraform|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| -|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Terraform|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| -|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Terraform|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| -|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Terraform|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| -|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Terraform|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| -|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Terraform|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| -|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Terraform|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| -|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Terraform|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| -|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Terraform|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| -|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Terraform|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control||Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control||Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control||Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control||Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control||Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control||Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control||Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control||Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations||Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations||Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations||Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations||Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations||Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations||Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations||Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall||Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| -|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control||Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations||Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices||Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices||Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices||Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices||Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices||Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices||Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices||Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices||Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices||Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices||Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices||Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices||Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices||Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices||Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices||Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices||Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics||Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics||Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics||Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics||Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics||Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics||Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics||Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics||Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics||Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics||Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics||Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics||Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics||Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics||Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics||Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics||Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics||Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics||Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics||Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics||Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics||Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics||Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics||Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Medium|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
abcefee4-a0c1-4245-9f82-a473f79a9e2f|Pulumi|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| + | Query |Platform|Severity|Category|More info| +|-----------------------------|---|---|---|---| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Query details
Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|Query details
Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|Query details
Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|Query details
Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Query details
Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|Query details
Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|Query details
Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|Query details
Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|Query details
Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|Query details
Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|Query details
Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|Query details
Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|Query details
Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|Query details
Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|Query details
Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|Query details
Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Query details
Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|Query details
Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Query details
Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Query details
Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|Query details
Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|Query details
Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|Query details
Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Query details
Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|Query details
Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|Query details
Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Query details
Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Query details
Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Query details
Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Query details
Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|Query details
Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|Query details
Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|Query details
Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|Query details
Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|Query details
Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Query details
Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Query details
Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|Query details
Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Query details
Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Query details
Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Query details
Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Query details
Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|Query details
Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Query details
Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|Query details
Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|Query details
Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|Query details
Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Query details
Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|Query details
Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Query details
Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Query details
Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Query details
Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Query details
Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|Query details
Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|Query details
Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Query details
Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Query details
Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Query details
Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|Query details
Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|Query details
Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|Query details
Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|Query details
Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|Query details
Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Query details
Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Query details
Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Query details
Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Query details
Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Query details
Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|Query details
Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|Query details
Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|Query details
Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Query details
Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Query details
Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Query details
Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Query details
Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Query details
Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|Query details
Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|Query details
Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|Query details
Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|Query details
Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|Query details
Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Query details
Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Query details
Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Query details
Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Query details
Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|Query details
Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|Query details
Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Query details
Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Query details
Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|Query details
Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Query details
Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|Query details
Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|Query details
Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|Query details
Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|Query details
Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|Query details
Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|Query details
Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|Query details
Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|Query details
Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|CloudFormation|High|Access Control|Query details
Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|Query details
Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|Query details
Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|Query details
Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|Query details
Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|Query details
Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Query details
Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|Query details
Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|Query details
Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|Query details
Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Query details
Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|Query details
Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Query details
Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Query details
Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Query details
Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Query details
Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|Query details
Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|Query details
Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Query details
Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|Query details
Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Query details
Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|Query details
Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|Query details
Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|Query details
Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|Query details
Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Query details
Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|Query details
Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Query details
Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|Query details
Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Query details
Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Query details
Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Query details
Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|CloudFormation|High|Encryption|Query details
Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|Query details
Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|Query details
Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|Query details
Documentation
| +|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Query details
Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Query details
Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Query details
Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|Query details
Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|Query details
Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|Query details
Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|Query details
Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Query details
Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|Query details
Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|Query details
Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Query details
Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Query details
Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Query details
Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Query details
Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|Query details
Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Query details
Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|Query details
Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Query details
Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|Query details
Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|Query details
Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Query details
Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|Query details
Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Query details
Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|Query details
Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|Query details
Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|Query details
Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|Query details
Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|Query details
Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|Query details
Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Query details
Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Query details
Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|Query details
Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
0f04217d-488f-4e7a-bec8-f16159686cd6|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Query details
Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|Query details
Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|Query details
Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Query details
Documentation
| +|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|CloudFormation|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Query details
Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|Query details
Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Query details
Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Query details
Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|Query details
Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Query details
Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|Query details
Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|Query details
Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|Query details
Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|Query details
Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Query details
Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Query details
Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Query details
Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|Query details
Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|Query details
Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Query details
Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|Query details
Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|Query details
Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|Query details
Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|Query details
Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|Query details
Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|Query details
Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|Query details
Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Query details
Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Query details
Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|CloudFormation|Medium|Observability|Query details
Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Query details
Documentation
| +|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Query details
Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Query details
Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|Query details
Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Query details
Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Query details
Documentation
| +|API Gateway Access Logging Disabled
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|Query details
Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|Query details
Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Query details
Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|Query details
Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|Query details
Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|Query details
Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|Query details
Documentation
| +|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|Query details
Documentation
| +|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|Query details
Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|Query details
Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|Query details
Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|Query details
Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|Query details
Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Query details
Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Query details
Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Query details
Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Query details
Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Query details
Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|Query details
Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|Query details
Documentation
| +|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|Query details
Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|Query details
Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|Query details
Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
ab759fde-e1e8-4b0e-ad73-ba856e490ed8|CloudFormation|Low|Observability|Query details
Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Query details
Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|CloudFormation|Low|Observability|Query details
Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|Query details
Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|Query details
Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|Query details
Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|Query details
Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|Query details
Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|Query details
Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|Query details
Documentation
| +|EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|CloudFormation|Info|Observability|Query details
Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|Disk Encryption Disabled
1ee0f202-31da-49ba-bbce-04a989912e4b|Terraform|Medium|Encryption|Query details
Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|Query details
Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|Query details
Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|Query details
Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|Query details
Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|Query details
Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|Query details
Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Query details
Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|Query details
Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|Query details
Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Query details
Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|Query details
Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Query details
Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|Query details
Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|Query details
Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|Query details
Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|Query details
Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Query details
Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Query details
Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Query details
Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|Query details
Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|Query details
Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Query details
Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|Query details
Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|Query details
Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Query details
Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|Query details
Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Query details
Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|Query details
Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|Query details
Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|Query details
Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|Query details
Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Query details
Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Query details
Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|Query details
Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|Query details
Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|Query details
Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|Query details
Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|Query details
Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|Query details
Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|Query details
Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Query details
Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Query details
Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|Query details
Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Query details
Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Query details
Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Query details
Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Query details
Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Query details
Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Query details
Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Query details
Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Query details
Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Query details
Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Query details
Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Query details
Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Query details
Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Query details
Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Query details
Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Query details
Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Query details
Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|Query details
Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Query details
Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Query details
Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|Query details
Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Query details
Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|Query details
Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Query details
Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Query details
Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Query details
Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Query details
Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Query details
Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Query details
Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Query details
Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Query details
Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Query details
Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Query details
Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Query details
Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Query details
Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Query details
Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Query details
Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Query details
Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Query details
Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Query details
Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Query details
Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Query details
Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Query details
Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Query details
Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Query details
Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Query details
Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Query details
Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Query details
Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Query details
Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Query details
Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|Query details
Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Query details
Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Query details
Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Query details
Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Query details
Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|Query details
Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Query details
Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|Query details
Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|Query details
Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|Query details
Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|Query details
Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Query details
Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|Query details
Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|Query details
Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|Query details
Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Query details
Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|Query details
Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|Query details
Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Query details
Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|Query details
Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|Query details
Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|Query details
Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|Query details
Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|Query details
Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Query details
Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|Query details
Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Query details
Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|Query details
Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Query details
Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|Query details
Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|Query details
Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Query details
Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Query details
Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Query details
Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|Query details
Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|Terraform|High|Encryption|Query details
Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|Query details
Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|Query details
Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|Query details
Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Query details
Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|Query details
Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|Query details
Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|Query details
Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Query details
Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|Query details
Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Query details
Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|Query details
Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|Query details
Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Query details
Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|Query details
Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|Query details
Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|Query details
Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|Query details
Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|Query details
Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Query details
Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|Query details
Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|Query details
Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|Query details
Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|Query details
Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Query details
Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|Query details
Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Query details
Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|Query details
Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Query details
Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|Query details
Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|Query details
Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|Query details
Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|Query details
Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|Query details
Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Query details
Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Query details
Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Query details
Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|Query details
Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Query details
Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|Query details
Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Query details
Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|Query details
Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Query details
Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Query details
Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Query details
Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Query details
Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|Query details
Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|Query details
Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Query details
Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Query details
Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Query details
Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Query details
Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|Query details
Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Query details
Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Query details
Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|Query details
Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Query details
Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Query details
Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Query details
Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|Query details
Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Query details
Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Query details
Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Query details
Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|Query details
Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|Query details
Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Query details
Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Query details
Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Query details
Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|Query details
Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|Query details
Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|Query details
Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Query details
Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Query details
Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|Query details
Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|Query details
Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|Query details
Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|Query details
Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|Query details
Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Query details
Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|Query details
Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Query details
Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|Query details
Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|Query details
Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|Query details
Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Query details
Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Medium|Best Practices|Query details
Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|Query details
Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Query details
Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|Query details
Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|Query details
Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Query details
Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Query details
Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Query details
Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|Query details
Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Query details
Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|Query details
Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|Query details
Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Query details
Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|Query details
Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|Query details
Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Query details
Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|Query details
Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|Query details
Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|Query details
Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|Query details
Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Query details
Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Query details
Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|Query details
Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Query details
Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Query details
Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|Query details
Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Query details
Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|Query details
Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|Query details
Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|Query details
Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Query details
Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|Query details
Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|Query details
Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|Query details
Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|Query details
Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Query details
Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|Query details
Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|Query details
Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|Query details
Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Query details
Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Query details
Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Query details
Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|Query details
Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|Query details
Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Query details
Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Query details
Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Query details
Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Query details
Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Query details
Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Query details
Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|Query details
Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|Query details
Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|Query details
Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Query details
Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|Query details
Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|Query details
Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|Query details
Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|Query details
Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|Query details
Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Query details
Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|Query details
Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|Query details
Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Query details
Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|Query details
Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Query details
Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Query details
Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Query details
Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|Query details
Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|Query details
Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Query details
Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Query details
Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Query details
Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|Query details
Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Query details
Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Query details
Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Query details
Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Query details
Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|Query details
Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|Query details
Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|Query details
Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|Query details
Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Query details
Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|Query details
Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|Query details
Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|Query details
Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|Query details
Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|Query details
Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Query details
Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|Query details
Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Query details
Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Nifcloud LB Use Insecure TLS Policy ID
944439c7-b4b8-476a-8f83-14641ea876ba|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud LB Listener Use HTTP Port
9f751a80-31f0-43a3-926c-20772791a038|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud ELB Use HTTP Protocol
e2de2b80-2fc2-4502-a764-40930dfcc70a|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud ELB Listener Use HTTP Protocol
afcb0771-4f94-44ed-ad4a-9f73f11ce6e0|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud LB Use HTTP Port
94e47f3f-b90b-43a1-a36d-521580bae863|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud LB Use Insecure TLS Policy Name
675e8eaa-2754-42b7-bf33-bfa295d1601d|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud DNS Has Verified Record
a1defcb6-55e8-4511-8c2a-30b615b0e057|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud Computing Has Public Ingress Security Group Rule
b2ea2367-8dc9-4231-a035-d0b28bfa3dde|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud NAS Has Public Ingress NAS Security Group Rule
8d7758a7-d9cd-499a-a83e-c9bdcbff728d|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Public DB Ingress Security Group Rule
a0b846e8-815f-4f15-b660-bc4ab9fa1e1a|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud Vpn Gateway Undefined Security Group To Vpn Gateway
b3535a48-910c-47f8-8b3b-14222f29ef80|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Public DB Access
fb387023-e4bb-42a8-9a70-6708aa7ff21b|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud Router Undefined Security Group To Router
e7dada38-af20-4899-8955-dabea84ab1f0|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud Computing Undefined Security Group To Instance
89218b48-75c9-4cb3-aaba-5299e852e8bc|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Backup Retention Less Than 2 Day
e5071f76-cbe7-468d-bb2b-d10f02d2b713|Terraform|Medium|Backup|Query details
Documentation
| +|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud Computing Undefined Description To Security Group Rule
e4610872-0b1c-4fb7-ab57-d81c0afdb291|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud Router Has Common Private Network
30c2760c-740e-4672-9d7f-2c29e0cb385d|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Common Private Network
9bf57c23-fbab-4222-85f3-3f207a53c6a8|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Undefined Description To DB Security Group
940ddce2-26bd-4e31-a9b4-382714f73231|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud NAS Undefined Description To NAS Security Group
e840c54a-7a4c-405f-b8c1-c49a54b87d11|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud ELB Has Common Private Network
5061f84c-ab66-4660-90b9-680c9df346c0|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud NAS Has Common Private Network
4b801c38-ebb4-4c81-984b-1ba525d43adf|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud Computing Undefined Description To Security Group
41c127a9-3a85-4bc3-a333-ed374eb9c3e4|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|Query details
Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|Query details
Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|Query details
Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|Query details
Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|Query details
Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Query details
Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|Query details
Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Query details
Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|Query details
Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Query details
Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Query details
Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Query details
Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Query details
Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|Query details
Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Query details
Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|Query details
Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Query details
Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Query details
Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Query details
Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Query details
Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|Query details
Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Query details
Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|Query details
Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Query details
Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Query details
Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Query details
Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|Query details
Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|Query details
Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|Query details
Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|Query details
Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Query details
Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Query details
Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Query details
Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|Query details
Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Query details
Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Query details
Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Query details
Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Query details
Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Query details
Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Query details
Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|Query details
Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Query details
Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Query details
Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|Query details
Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|Query details
Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Query details
Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Query details
Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|Query details
Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|Query details
Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Query details
Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Query details
Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Query details
Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Query details
Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Query details
Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Query details
Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Query details
Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Query details
Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Query details
Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Query details
Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Query details
Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Query details
Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Query details
Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|Query details
Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|Query details
Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Query details
Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Query details
Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|Query details
Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Query details
Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|Query details
Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|Query details
Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Query details
Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|Query details
Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|Terraform|High|Insecure Configurations|Query details
Documentation
| +|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|Terraform|High|Networking and Firewall|Query details
Documentation
| +|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Terraform|Medium|Best Practices|Query details
Documentation
| +|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Terraform|Medium|Best Practices|Query details
Documentation
| +|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Terraform|Medium|Best Practices|Query details
Documentation
| +|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Terraform|Medium|Best Practices|Query details
Documentation
| +|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Terraform|Medium|Best Practices|Query details
Documentation
| +|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Terraform|Medium|Insecure Defaults|Query details
Documentation
| +|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Terraform|Medium|Insecure Defaults|Query details
Documentation
| +|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Terraform|Medium|Resource Management|Query details
Documentation
| +|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Terraform|Low|Access Control|Query details
Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Query details
Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Query details
Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Query details
Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Query details
Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Query details
Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Query details
Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Query details
Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Query details
Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|Query details
Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Query details
Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|Crossplane|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|Query details
Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|Query details
Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Query details
Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|Query details
Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|Query details
Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
0c7a76d9-7dc5-499e-81ac-9245839177cb|Crossplane|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Crossplane|Low|Observability|Query details
Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Query details
Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Query details
Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|Query details
Documentation
| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|CICD|High|Insecure Configurations|Query details
Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|CICD|High|Insecure Configurations|Query details
Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|CICD|Medium|Insecure Configurations|Query details
Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|CICD|Medium|Supply-Chain|Query details
Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Query details
Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Query details
Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|Query details
Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Query details
Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|Query details
Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Query details
Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Query details
Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|Query details
Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Query details
Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Query details
Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Query details
Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Query details
Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|Query details
Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Query details
Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Query details
Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Query details
Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Query details
Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Query details
Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Query details
Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Query details
Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|Query details
Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Query details
Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Query details
Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Query details
Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Query details
Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|Query details
Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Query details
Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Query details
Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|Query details
Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|Query details
Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Query details
Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Query details
Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|Query details
Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Query details
Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Query details
Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|Query details
Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|Query details
Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Query details
Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|Query details
Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|Query details
Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|Query details
Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|Query details
Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Query details
Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Query details
Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|Query details
Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Query details
Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Query details
Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|Query details
Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Query details
Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Query details
Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|Query details
Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Query details
Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|Query details
Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Query details
Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Query details
Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process|Query details
Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Query details
Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|Query details
Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Query details
Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Query details
Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|Query details
Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|Query details
Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Query details
Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Query details
Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|Query details
Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Query details
Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|Query details
Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Query details
Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Query details
Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Query details
Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Query details
Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Query details
Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Query details
Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Query details
Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|Query details
Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Query details
Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|Query details
Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|Query details
Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Query details
Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|Query details
Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Query details
Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Query details
Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Query details
Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Query details
Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|Query details
Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Query details
Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Query details
Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Query details
Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Query details
Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Query details
Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Query details
Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Query details
Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Query details
Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Query details
Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Query details
Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|Query details
Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|Query details
Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Query details
Documentation
| +|Shared Volumes Between Containers
8c978947-0ff6-485c-b0c2-0bfca6026466|DockerCompose|Info|Insecure Configurations|Query details
Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Query details
Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|Pulumi|High|Access Control|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|Pulumi|High|Insecure Configurations|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|Pulumi|High|Networking and Firewall|Query details
Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|Query details
Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|Query details
Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|Query details
Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|Query details
Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Pulumi|Medium|Observability|Query details
Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
abcefee4-a0c1-4245-9f82-a473f79a9e2f|Pulumi|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Pulumi|Low|Observability|Query details
Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|Query details
Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|Query details
Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Query details
Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Query details
Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Query details
Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|Query details
Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Query details
Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|Query details
Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|Query details
Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|Query details
Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Query details
Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Query details
Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Query details
Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Query details
Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Query details
Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Query details
Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Query details
Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Query details
Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions
Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Query details
Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|
Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Query details
Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|
Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Query details
Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|
Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Query details
Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|
Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|Query details
Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|
Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|Query details
Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|
Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Query details
Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set
Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Query details
Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined
Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Query details
Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|
Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|Query details
Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|
Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|Query details
Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|
Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|
Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.
Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|
Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|
Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|
Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.
Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|
Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|
Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined
Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|
Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|
Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|Query details
Documentation
| +|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|
Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|Query details
Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|
Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|
Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|
Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|
Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|
Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|
Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|
Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|
Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|
Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|
Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|
Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|
Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|
Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|
Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords
Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|
Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|
Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|
Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type
Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type
Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|
Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Query details
Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Query details
Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Query details
Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|Query details
Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|Query details
Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|Query details
Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Query details
Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Query details
Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Query details
Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|Query details
Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Query details
Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Query details
Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Query details
Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|Query details
Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Query details
Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|Query details
Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|Query details
Documentation
| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Ansible|Medium|Best Practices|Query details
Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Query details
Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Query details
Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Query details
Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Query details
Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Query details
Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Query details
Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Query details
Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Query details
Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Query details
Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Query details
Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Query details
Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Query details
Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Query details
Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Query details
Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Query details
Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Query details
Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Query details
Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Query details
Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Query details
Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Query details
Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Query details
Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Query details
Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Query details
Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|Query details
Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Query details
Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|Query details
Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|Query details
Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|Query details
Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|Query details
Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|Query details
Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|Query details
Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|Query details
Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|Query details
Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|Query details
Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|Query details
Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Query details
Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Query details
Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Query details
Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|Query details
Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|Query details
Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|Query details
Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|Query details
Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|Query details
Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|Query details
Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Query details
Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Query details
Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Query details
Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|Query details
Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|Query details
Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|Query details
Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Query details
Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|Query details
Documentation
| +|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|Query details
Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|Query details
Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|Query details
Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|Ansible|High|Networking and Firewall|Query details
Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|Query details
Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Query details
Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Query details
Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Query details
Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|Query details
Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|Query details
Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|Query details
Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Query details
Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Query details
Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Query details
Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Query details
Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|Query details
Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Query details
Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Query details
Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|Query details
Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Query details
Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|Query details
Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|Query details
Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|Query details
Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Query details
Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Query details
Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|Query details
Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Query details
Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|Query details
Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Query details
Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|Query details
Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Query details
Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Query details
Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|Query details
Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|Query details
Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|Query details
Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|Query details
Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|Query details
Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|Query details
Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|Query details
Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Query details
Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|Query details
Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|Query details
Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|Query details
Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|Query details
Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Query details
Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|Query details
Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|Query details
Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|Query details
Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|Query details
Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Query details
Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Query details
Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Query details
Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Query details
Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|Query details
Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|Query details
Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|Query details
Documentation
| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Ansible|Medium|Access Control|Query details
Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Ansible|Low|Best Practices|Query details
Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Ansible|Low|Best Practices|Query details
Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Ansible|Low|Supply-Chain|Query details
Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Ansible|Info|Supply-Chain|Query details
Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|Query details
Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|Query details
Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Query details
Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Query details
Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|Query details
Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Query details
Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Query details
Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Query details
Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|Query details
Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Query details
Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|Query details
Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Query details
Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|Query details
Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Query details
Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|Query details
Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Query details
Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|Query details
Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Query details
Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Query details
Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|Query details
Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|Query details
Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Query details
Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|Query details
Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|Query details
Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|Query details
Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|Query details
Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Query details
Documentation
| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|Ansible|High|Insecure Configurations|Query details
Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Ansible|Medium|Access Control|Query details
Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Ansible|Medium|Insecure Configurations|Query details
Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Ansible|Low|Best Practices|Query details
Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query details
Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 60c6dfee4e5..8c4eebe3f83 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -1,281 +1,280 @@ ## Ansible Queries List This page contains all queries from Ansible. -### GCP -Bellow are listed queries related with Ansible GCP: +### HOSTS +Below are listed queries related to Ansible HOSTS: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Query details
Documentation
| -### CONFIG -Bellow are listed queries related with Ansible CONFIG: +### AZURE +Below are listed queries related to Ansible AZURE: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'. (read more)|Documentation
| -|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Query details
Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Query details
Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Query details
Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Query details
Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Query details
Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Query details
Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Query details
Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|Query details
Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Query details
Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|Query details
Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Query details
Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|Query details
Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Query details
Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Query details
Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Query details
Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Query details
Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|Query details
Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Query details
Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Query details
Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Query details
Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Query details
Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Query details
Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Query details
Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Query details
Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Query details
Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Query details
Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Query details
Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Query details
Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Query details
Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Query details
Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Query details
Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Query details
Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Query details
Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Query details
Documentation
| -### AZURE -Bellow are listed queries related with Ansible AZURE: +### AWS +Below are listed queries related to Ansible AWS: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|Query details
Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Query details
Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|Query details
Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|Query details
Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|Query details
Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|Query details
Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|Query details
Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|Query details
Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|Query details
Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|Query details
Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|Query details
Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|Query details
Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Query details
Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Query details
Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Query details
Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|Query details
Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|Query details
Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|Query details
Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|Query details
Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|Query details
Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|Query details
Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Query details
Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Query details
Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Query details
Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|Query details
Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|Query details
Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|Query details
Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|Query details
Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Query details
Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Query details
Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|Query details
Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|Query details
Documentation
| +|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|Query details
Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|Query details
Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|Query details
Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|Query details
Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Query details
Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|Query details
Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|Query details
Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Query details
Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|Query details
Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Query details
Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|Query details
Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|Query details
Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Query details
Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Query details
Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Query details
Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|Query details
Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|Query details
Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|Query details
Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Query details
Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Query details
Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Query details
Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Query details
Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|Query details
Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Query details
Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Query details
Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|Query details
Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Query details
Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|Query details
Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|Query details
Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|Query details
Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Query details
Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Query details
Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|Query details
Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Query details
Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|Query details
Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Query details
Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|Query details
Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Query details
Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|Query details
Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Query details
Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|Query details
Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|Query details
Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|Query details
Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Query details
Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Query details
Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|Query details
Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|Query details
Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|Query details
Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|Query details
Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|Query details
Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|Query details
Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|Query details
Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Query details
Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|Query details
Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|Query details
Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|Query details
Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|Query details
Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Query details
Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|Query details
Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|Query details
Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|Query details
Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|Query details
Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Query details
Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Query details
Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Query details
Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Query details
Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|Query details
Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Query details
Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|Query details
Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|Query details
Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|Query details
Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|Query details
Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|Query details
Documentation
| -### HOSTS -Bellow are listed queries related with Ansible HOSTS: +### SHARED (V2/V3) +Below are listed queries related to Ansible SHARED (V2/V3): -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Ansible Tower Exposed To Internet
1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc|Medium|Best Practices|Avoid exposing Ansible Tower to the public internet, effectively reducing the potential attack surface of your deployment (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|Query details
Documentation
| +|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Query details
Documentation
| +|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Query details
Documentation
| +|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|Query details
Documentation
| +|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Query details
Documentation
| +|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Query details
Documentation
| -### AWS -Bellow are listed queries related with Ansible AWS: +### GCP +Below are listed queries related to Ansible GCP: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|KMS Key With Full Permissions
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
d6c2d06f-43c1-488a-9ba1-8d75b40fc62d|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|Query details
Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|Query details
Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Query details
Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Query details
Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|Query details
Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Query details
Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Query details
Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Query details
Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|Query details
Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Query details
Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Query details
Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|Query details
Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|Query details
Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Query details
Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Query details
Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|Query details
Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Query details
Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Query details
Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|Query details
Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Query details
Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|Query details
Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Query details
Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|Query details
Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Query details
Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Query details
Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|Query details
Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|Query details
Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|Query details
Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Query details
Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|Query details
Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|Query details
Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Query details
Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Query details
Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Query details
Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Query details
Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Query details
Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Query details
Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|Query details
Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|Query details
Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|Query details
Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|Query details
Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Query details
Documentation
| -### SHARED (V2/V3) -Bellow are listed queries related with Ansible SHARED (V2/V3): +### CONFIG +Below are listed queries related to Ansible CONFIG: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Privilege Escalation Using Become Plugin
0e75052f-cc02-41b8-ac39-a78017527e95|Medium|Access Control|In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true' (read more)|Documentation
| -|Communication Over HTTP
2e8d4922-8362-4606-8c14-aa10466a1ce3|Medium|Insecure Configurations|Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks (read more)|Documentation
| -|Insecure Relative Path Resolution
8d22ae91-6ac1-459f-95be-d37bd373f244|Low|Best Practices|Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change. (read more)|Documentation
| -|Logging of Sensitive Data
59029ddf-e651-412b-ae7b-ff6d403184bc|Low|Best Practices|To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True (read more)|Documentation
| -|Unpinned Package Version
c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8|Low|Supply-Chain|Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service (read more)|Documentation
| -|Risky File Permissions
88841d5c-d22d-4b7e-a6a0-89ca50e44b9f|Info|Supply-Chain|Some modules could end up creating new files on disk with permissions that might be too open or unpredictable (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Allow Unsafe Lookups Enabled
86b97bb4-85c9-462d-8635-cbc057c5c8c5|High|Insecure Configurations|Query details
Documentation
| +|Privilege Escalation Using Become Plugin
404908b6-4954-4611-98f0-e8ceacdabcb1|Medium|Access Control|Query details
Documentation
| +|Communication over HTTP
d7dc9350-74bc-485b-8c85-fed22d276c43|Medium|Insecure Configurations|Query details
Documentation
| +|Logging of Sensitive Data
c6473dae-8477-4119-88b7-b909b435ce7b|Low|Best Practices|Query details
Documentation
| diff --git a/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md b/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md deleted file mode 100644 index 6333814be71..00000000000 --- a/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Memcached Disabled -hide: - toc: true - navigation: true ---- - - - -- **Query id:** 2d55ef88-b616-4890-b822-47f280763e89 -- **Query name:** Memcached Disabled -- **Platform:** Ansible -- **Severity:** Medium -- **Category:** Encryption -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/memcached_disabled) - -### Description -Check if the Memcached is disabled on the ElastiCache
-[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-engine) - -### Code samples -#### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="5" -- name: Basic example - community.aws.elasticache: - name: "test-please-delete" - state: present - engine: redis - cache_engine_version: 5.1.10 - node_type: cache.m1.small - num_nodes: 1 - -``` - - -#### Code samples without security vulnerabilities -```yaml title="Negative test num. 1 - yaml file" -- name: Basic example - community.aws.elasticache: - name: test-please-delete - state: present - engine: memcached - cache_engine_version: 5.1.10 - node_type: cache.m1.small - num_nodes: 1 - -``` diff --git a/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md b/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md index 96056a2f3f9..bd787c89b3e 100644 --- a/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md +++ b/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md @@ -23,7 +23,7 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_sse_disabled) ### Description -If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
+If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.
[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id) ### Code samples diff --git a/docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md b/docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md index fe4b806eccf..635fb6905ed 100644 --- a/docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md +++ b/docs/queries/ansible-queries/common/c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8.md @@ -53,43 +53,43 @@ Setting state to latest performs an update and installs additional packages poss name: sudo state: latest update_only: false - + - name: Install nmap community.general.zypper: name: nmap state: latest - + - name: Install package without using cache community.general.apk: name: foo state: latest no_cache: true - + - name: Install apache httpd ansible.builtin.apt: name: apache2 state: latest - + - name: Update Gemfile in another directory community.general.bundler: state: latest chdir: ~/rails_project - + - name: Install a modularity appstream with defined profile ansible.builtin.dnf: - name: '@postgresql/client' + name: "@postgresql/client" state: latest - + - name: Install rake community.general.gem: name: rake state: latest - + - name: Install formula foo with 'brew' from cask community.general.homebrew: name: homebrew/cask/foo state: latest - + - name: Install Green Balls plugin community.general.jenkins_plugin: name: greenballs @@ -98,74 +98,74 @@ Setting state to latest performs an update and installs additional packages poss username: user_jenkins password: userpass_jenkins register: result - + - name: Install packages based on package.json community.general.npm: path: /app/location state: latest - + - name: Install nmap community.general.openbsd_pkg: name: nmap state: latest - + - name: Install ntpdate ansible.builtin.package: name: ntpdate state: latest - + - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: latest - + - name: Install finger daemon community.general.pkg5: name: service/network/finger state: latest - + - name: Install several packages community.general.pkgutil: name: - - CSWsudo - - CSWtop + - CSWsudo + - CSWtop state: latest - + - name: Install package foo community.general.portage: package: foo state: latest - + - name: Make sure that it is the most updated package community.general.slackpkg: name: foo state: latest - + - name: Make sure spell foo is installed community.general.sorcery: spell: foo state: latest - + - name: Install package unzip community.general.swdepot: name: unzip state: latest - depot: 'repository:/path' - + depot: "repository:/path" + - name: Install multiple packages win_chocolatey: name: - - procexp - - putty - - windirstat + - procexp + - putty + - windirstat state: latest - + - name: Install "imagemin" node.js package globally. community.general.yarn: name: imagemin global: true state: latest - + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) ansible.builtin.yum: name: @@ -173,11 +173,12 @@ Setting state to latest performs an update and installs additional packages poss - postgresql - postgresql-server state: latest - + - name: Install local rpm file community.general.zypper: name: /tmp/fancy-software.rpm state: latest + ``` @@ -203,43 +204,43 @@ Setting state to latest performs an update and installs additional packages poss name: sudo state: latest update_only: true - + - name: Install nmap community.general.zypper: name: nmap state: present - + - name: Install package without using cache community.general.apk: name: foo state: present no_cache: true - + - name: Install apache httpd ansible.builtin.apt: name: apache2 state: present - + - name: Update Gemfile in another directory community.general.bundler: state: present chdir: ~/rails_project - + - name: Install a modularity appstream with defined profile ansible.builtin.dnf: - name: '@postgresql/client' + name: "@postgresql/client" state: present - + - name: Install rake community.general.gem: name: rake state: present - + - name: Install formula foo with 'brew' from cask community.general.homebrew: name: homebrew/cask/foo state: present - + - name: Install Green Balls plugin community.general.jenkins_plugin: name: greenballs @@ -249,78 +250,78 @@ Setting state to latest performs an update and installs additional packages poss username: user_jenkins password: userpass_jenkins register: result - + - name: Install packages based on package.json community.general.npm: path: /app/location state: present - + - name: Install nmap community.general.openbsd_pkg: name: nmap state: present - + - name: Install ntpdate ansible.builtin.package: name: ntpdate state: present - + - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: present - + - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: present - + - name: Install finger daemon community.general.pkg5: name: service/network/finger state: present - + - name: Install several packages community.general.pkgutil: name: - - CSWsudo - - CSWtop + - CSWsudo + - CSWtop state: present - + - name: Install package foo community.general.portage: package: foo state: present - + - name: Make sure that it is the most updated package community.general.slackpkg: name: foo state: present - + - name: Make sure spell foo is installed community.general.sorcery: spell: foo state: present - + - name: Install package unzip community.general.swdepot: name: unzip state: present - depot: 'repository:/path' - + depot: "repository:/path" + - name: Install multiple packages win_chocolatey: name: - - procexp - - putty - - windirstat + - procexp + - putty + - windirstat state: present - + - name: Install "imagemin" node.js package globally. community.general.yarn: name: imagemin global: true - + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) ansible.builtin.yum: name: @@ -328,9 +329,10 @@ Setting state to latest performs an update and installs additional packages poss - postgresql - postgresql-server state: present - + - name: Install local rpm file community.general.zypper: name: /tmp/fancy-software.rpm state: present + ``` diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index 0b0db9c7caa..f72bbf26645 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -1,47 +1,47 @@ ## AzureResourceManager Queries List This page contains all queries from AzureResourceManager. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Query details
Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|Query details
Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Query details
Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|Query details
Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Query details
Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Query details
Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|Query details
Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Query details
Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Query details
Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|Query details
Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Query details
Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|Query details
Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Query details
Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Query details
Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Query details
Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Query details
Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Query details
Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|Query details
Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Query details
Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Query details
Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Query details
Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Query details
Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Query details
Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Query details
Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Query details
Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|Query details
Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Query details
Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Query details
Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Query details
Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Query details
Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|Query details
Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Query details
Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Query details
Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|Query details
Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|Query details
Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Query details
Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Query details
Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|Query details
Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Query details
Documentation
| diff --git a/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md b/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md index aed74f3bab5..83986e3cfee 100644 --- a/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md +++ b/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md @@ -247,6 +247,184 @@ Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true "name": "storageTemplate" } +``` + +
Positive test num. 5 - json file + +```json hl_lines="23" +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "variables": {}, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "name": "[parameters('vaults_pgs_bot_prod_name')]", + "location": "westeurope", + "tags": { + "ProjectCodeBU": "UKMUMD", + "ApplicationName": "PGS HR Chatbot", + "ProjectCodePGDS": "PRJ0024896", + "CostCentreBU": "UKMUMD", + "DataClassification": "General", + "BusinessUnit": "PGS", + "Owner": "Pru UK Andover Innovation Team", + "Contact": "andover2@prudential.co.uk", + "CostCentrePGDS": "ITBUEXP", + "Criticality": "Low" + }, + "properties": { + "sku": { + "family": "A", + "name": "standard" + }, + "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66", + "accessPolicies": [ + { + "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66", + "objectId": "f3e7baf5-8d66-4fb2-b7aa-7b7484309df6", + "permissions": { + "keys": [ + "Get", + "Create", + "Delete", + "List", + "Update", + "Import", + "Backup", + "Restore", + "Recover" + ], + "secrets": [ + "Get", + "List", + "Set", + "Delete", + "Backup", + "Restore", + "Recover" + ], + "certificates": [ + "Get", + "Delete", + "List", + "Create", + "Import", + "Update", + "DeleteIssuers", + "GetIssuers", + "ListIssuers", + "ManageContacts", + "ManageIssuers", + "SetIssuers" + ], + "storage": [ + "delete", + "deletesas", + "get", + "getsas", + "list", + "listsas", + "regeneratekey", + "set", + "setsas", + "update" + ] + } + }, + { + "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66", + "objectId": "1033a977-ffdc-4359-869a-b673d075f128", + "permissions": { + "keys": [], + "secrets": [ + "Get" + ], + "certificates": [], + "storage": [] + } + }, + { + "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66", + "objectId": "13be5d2d-6e1f-4667-add4-02d2d1142ac5", + "permissions": { + "keys": [], + "secrets": [ + "Get", + "List", + "Set", + "Delete", + "Backup", + "Restore", + "Recover", + "Purge" + ], + "certificates": [], + "storage": [] + } + }, + { + "tenantId": "aa42167d-6f8d-45ce-b655-d245ef97da66", + "objectId": "e56a2de8-a788-415f-b10f-14bfd3000e1d", + "permissions": { + "keys": [ + "Get", + "List", + "Update", + "Create", + "Import", + "Delete", + "Recover", + "Backup", + "Restore", + "Decrypt", + "Encrypt", + "UnwrapKey", + "WrapKey", + "Verify", + "Sign", + "Purge" + ], + "secrets": [ + "Get", + "List", + "Set", + "Delete", + "Recover", + "Backup", + "Restore", + "Purge" + ], + "certificates": [ + "Get", + "List", + "Update", + "Create", + "Import", + "Delete", + "Recover", + "Backup", + "Restore", + "ManageContacts", + "ManageIssuers", + "GetIssuers", + "ListIssuers", + "SetIssuers", + "DeleteIssuers", + "Purge" + ] + } + } + ], + "enabledForDeployment": false, + "enabledForDiskEncryption": false, + "enabledForTemplateDeployment": false + } + } + ] +} + ```
diff --git a/docs/queries/buildah-queries.md b/docs/queries/buildah-queries.md index 05627bb0f27..52d3723e7ef 100644 --- a/docs/queries/buildah-queries.md +++ b/docs/queries/buildah-queries.md @@ -1,6 +1,6 @@ ## Buildah Queries List This page contains all queries from Buildah. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Medium|Supply-Chain|Query details
Documentation
| diff --git a/docs/queries/cicd-queries.md b/docs/queries/cicd-queries.md index 23320065552..c5d2a40ef21 100644 --- a/docs/queries/cicd-queries.md +++ b/docs/queries/cicd-queries.md @@ -2,13 +2,13 @@ This page contains all queries from CICD. ### GITHUB -Bellow are listed queries related with CICD GITHUB: +Below are listed queries related to CICD GITHUB: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|High|Insecure Configurations|GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event. (read more)|Documentation
| -|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|Medium|Insecure Configurations|There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution. (read more)|Documentation
| -|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|Medium|Supply-Chain|Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Script Block Injection
62ff6823-927a-427f-acf9-f1ea2932d616|High|Insecure Configurations|Query details
Documentation
| +|Run Block Injection
20f14e1a-a899-4e79-9f09-b6a84cd4649b|High|Insecure Configurations|Query details
Documentation
| +|Unsecured Commands
60fd272d-15f4-4d8f-afe4-77d9c6cc0453|Medium|Insecure Configurations|Query details
Documentation
| +|Unpinned Actions Full Length Commit SHA
555ab8f9-2001-455e-a077-f2d0f41e2fb9|Medium|Supply-Chain|Query details
Documentation
| diff --git a/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md b/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md index 41c1d16eb85..6a5e245ee2d 100644 --- a/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md +++ b/docs/queries/cicd-queries/common/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md @@ -52,7 +52,7 @@ jobs: fi; shell: bash - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} - name: Crawl pages and generate Markdown files @@ -68,6 +68,7 @@ jobs: file_pattern: chinese/articles/*.md commit_user_name: PageToMarkdown Bot commit_user_email: PageToMarkdown-bot@freeCodeCamp.org + ``` ```yaml title="Positive test num. 2 - yaml file" hl_lines="13" name: Pull Request Workflow @@ -200,13 +201,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - name: Run test metrics script id: testcov run: | @@ -217,6 +218,7 @@ jobs: run: | echo "Go coverage is lower than 80%: ${{ env.coverage }}%" exit 1 + ``` ```yaml title="Negative test num. 2 - yaml file" name: Issue Workflow diff --git a/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md b/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md index 66179c4a82d..6b3c84ea518 100644 --- a/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md +++ b/docs/queries/cicd-queries/common/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md @@ -72,14 +72,15 @@ name: test-positive on: pull_request: types: [opened, synchronize, edited, reopened] - branches: + branches: - master jobs: test-positive: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false + ``` diff --git a/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md b/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md index d34afbfd9c3..ceeb9ba25fb 100644 --- a/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md +++ b/docs/queries/cicd-queries/common/62ff6823-927a-427f-acf9-f1ea2932d616.md @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -57,6 +57,7 @@ jobs: }) return true; + ``` ```yaml title="Positive test num. 2 - yaml file" hl_lines="17" name: test-script-run @@ -70,7 +71,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -87,6 +88,7 @@ jobs: }) return true; + ``` ```yaml title="Positive test num. 3 - yaml file" hl_lines="17" name: test-script-run @@ -100,7 +102,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -117,6 +119,7 @@ jobs: }) return true; + ```
Positive test num. 4 - yaml file @@ -132,7 +135,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -149,6 +152,7 @@ jobs: }) return true; + ```
Positive test num. 5 - yaml file @@ -165,7 +169,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -182,6 +186,7 @@ jobs: }) return true; + ```
Positive test num. 6 - yaml file @@ -198,7 +203,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -215,6 +220,7 @@ jobs: }) return true; + ```
Positive test num. 7 - yaml file @@ -231,7 +237,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -248,6 +254,7 @@ jobs: }) return true; + ```
@@ -265,7 +272,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -279,6 +286,7 @@ jobs: }) return true; + ``` ```yaml title="Negative test num. 2 - yaml file" name: test-script-run @@ -292,7 +300,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -306,6 +314,7 @@ jobs: }) return true; + ``` ```yaml title="Negative test num. 3 - yaml file" name: test-script-run @@ -319,7 +328,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -333,6 +342,7 @@ jobs: }) return true; + ```
Negative test num. 4 - yaml file @@ -348,7 +358,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -362,6 +372,7 @@ jobs: }) return true; + ```
Negative test num. 5 - yaml file @@ -378,7 +389,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -392,6 +403,7 @@ jobs: }) return true; + ```
Negative test num. 6 - yaml file @@ -408,7 +420,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -422,6 +434,7 @@ jobs: }) return true; + ```
Negative test num. 7 - yaml file @@ -438,7 +451,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -452,5 +465,6 @@ jobs: }) return true; + ```
diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index 40cdffeadf4..7850b8c10c2 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -2,303 +2,304 @@ This page contains all queries from CloudFormation. ### AWS_BOM -Bellow are listed queries related with CloudFormation AWS_BOM: +Below are listed queries related to CloudFormation AWS_BOM: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|Query details
Documentation
| ### AWS_SAM -Bellow are listed queries related with CloudFormation AWS_SAM: +Below are listed queries related to CloudFormation AWS_SAM: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|Query details
Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|Query details
Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|Query details
Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|Query details
Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|Query details
Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|Query details
Documentation
| ### AWS -Bellow are listed queries related with CloudFormation AWS: +Below are listed queries related to CloudFormation AWS: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption' (read more)|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| -|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| -|API Gateway Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway Stage should have Access Logging Settings defined (read more)|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| -|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| -|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| -|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|Query details
Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|Query details
Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|Query details
Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|Query details
Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
5864fb39-d719-4182-80e2-89dbe627be63|High|Access Control|Query details
Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|Query details
Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|Query details
Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|Query details
Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|Query details
Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|Query details
Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|Query details
Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Query details
Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|Query details
Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|Query details
Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|Query details
Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Query details
Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|Query details
Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Query details
Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Query details
Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Query details
Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Query details
Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|Query details
Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|Query details
Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Query details
Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|Query details
Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Query details
Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|Query details
Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|Query details
Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|Query details
Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|Query details
Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Query details
Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|Query details
Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Query details
Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|Query details
Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Query details
Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Query details
Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Query details
Documentation
| +|EFS Volume With Disabled Transit Encryption
c1282e03-b285-4637-aee7-eefe3a7bb658|High|Encryption|Query details
Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|Query details
Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Query details
Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Query details
Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|Query details
Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|Query details
Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|Query details
Documentation
| +|KMS Key With Full Permissions
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|Query details
Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|Query details
Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|Query details
Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|Query details
Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|Query details
Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|Query details
Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|Query details
Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|Query details
Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|Query details
Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
4cdc88e6-c0c8-4081-a639-bb3a557cbedf|High|Networking and Firewall|Query details
Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|Query details
Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Query details
Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|Query details
Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|Query details
Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Query details
Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Query details
Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Query details
Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|Query details
Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|Query details
Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|Query details
Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|Query details
Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|Query details
Documentation
| +|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Query details
Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Query details
Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Query details
Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|Query details
Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|Query details
Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|Query details
Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|Query details
Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Query details
Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|Query details
Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|Query details
Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Query details
Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Query details
Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Query details
Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Query details
Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|Query details
Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Query details
Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|Query details
Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Query details
Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|Query details
Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|Query details
Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Query details
Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|Query details
Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Query details
Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|Query details
Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|Query details
Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|Query details
Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|Query details
Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|Query details
Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|Query details
Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Query details
Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Query details
Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|Query details
Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|Query details
Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|Query details
Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|Query details
Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
0f04217d-488f-4e7a-bec8-f16159686cd6|Medium|Best Practices|Query details
Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Query details
Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|Query details
Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|Query details
Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Query details
Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Query details
Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|Query details
Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Query details
Documentation
| +|DynamoDB Table Not Encrypted
4bd21e68-38c1-4d58-acdc-6a14b203237f|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Query details
Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|Query details
Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|Query details
Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Query details
Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|Query details
Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Query details
Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|Query details
Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|Query details
Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Query details
Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|Query details
Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|Query details
Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|Query details
Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Query details
Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Query details
Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|Query details
Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|Query details
Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|Query details
Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Query details
Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|Query details
Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|Query details
Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Query details
Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|Query details
Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|Query details
Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Query details
Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|Query details
Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|Query details
Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|Query details
Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|Query details
Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|Query details
Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|Query details
Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|Query details
Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|Query details
Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|Query details
Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Query details
Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Query details
Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|Query details
Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|Query details
Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Query details
Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|Query details
Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|Query details
Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|Query details
Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|Query details
Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|Query details
Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|Query details
Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|Query details
Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Query details
Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Query details
Documentation
| +|Elasticsearch Logs Disabled
edbd62d4-8700-41de-b000-b3cfebb5e996|Medium|Observability|Query details
Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Query details
Documentation
| +|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Query details
Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Query details
Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|Query details
Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Query details
Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Query details
Documentation
| +|API Gateway Access Logging Disabled
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|Query details
Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|Query details
Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Query details
Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Query details
Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|Query details
Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|Query details
Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Query details
Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Query details
Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Query details
Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|Query details
Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Query details
Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|Query details
Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|Query details
Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Query details
Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Query details
Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|Query details
Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Query details
Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|Query details
Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|Query details
Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|Query details
Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|Query details
Documentation
| +|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|Query details
Documentation
| +|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|Query details
Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|Query details
Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|Query details
Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|Query details
Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|Query details
Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Query details
Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Query details
Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Query details
Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Query details
Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Query details
Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|Query details
Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|Query details
Documentation
| +|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|Query details
Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|Query details
Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|Query details
Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Query details
Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|Query details
Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|Query details
Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|Query details
Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|Query details
Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
ab759fde-e1e8-4b0e-ad73-ba856e490ed8|Low|Observability|Query details
Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Query details
Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
1bf3b3d4-f373-4d7c-afbb-7d85948a67a5|Low|Observability|Query details
Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|Query details
Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|Query details
Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|Query details
Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|Query details
Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|Query details
Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|Query details
Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|Query details
Documentation
| +|EC2 Instance Monitoring Disabled
0264093f-6791-4475-af34-4b8102dcbcd0|Info|Observability|Query details
Documentation
| diff --git a/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md b/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md index f6fd32645e1..3c906b0e722 100644 --- a/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md +++ b/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md @@ -425,7 +425,7 @@ Resources: } }, "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/docs/queries/cloudformation-queries/aws/0f04217d-488f-4e7a-bec8-f16159686cd6.md b/docs/queries/cloudformation-queries/aws/0f04217d-488f-4e7a-bec8-f16159686cd6.md new file mode 100644 index 00000000000..9f4f9e0b616 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0f04217d-488f-4e7a-bec8-f16159686cd6.md @@ -0,0 +1,142 @@ +--- +title: DynamoDB Table Point In Time Recovery Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0f04217d-488f-4e7a-bec8-f16159686cd6 +- **Query name:** DynamoDB Table Point In Time Recovery Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled) + +### Description +It's considered a best practice to have point in time recovery enabled for DynamoDB Table
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-pointintimerecoveryspecification.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" +Resources: + MyDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + PointInTimeRecoverySpecification: + PointInTimeRecoveryEnabled: false + +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="4" +Resources: + MyDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + TableName: my-table + +``` +```json title="Positive test num. 3 - json file" hl_lines="8" +{ + "Resources": { + "DynamoDBOnDemandTable1": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "BillingMode": "PAY_PER_REQUEST", + "PointInTimeRecoverySpecification" : { + "PointInTimeRecoveryEnabled" : false + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK" + } +} + +``` +
Positive test num. 4 - json file + +```json hl_lines="5" +{ + "Resources": { + "DynamoDBOnDemandTable1": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "BillingMode": "PAY_PER_REQUEST" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK" + } +} + +``` +
+
Positive test num. 5 - yaml file + +```yaml hl_lines="5" +Resources: + MyDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + PointInTimeRecoverySpecification: {} +``` +
+
Positive test num. 6 - json file + +```json hl_lines="7" +{ + "Resources": { + "DynamoDBOnDemandTable1": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "BillingMode": "PAY_PER_REQUEST", + "PointInTimeRecoverySpecification" : {} + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + PointInTimeRecoverySpecification: + PointInTimeRecoveryEnabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "DynamoDBOnDemandTable1": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "BillingMode": "PAY_PER_REQUEST", + "PointInTimeRecoverySpecification" : { + "PointInTimeRecoveryEnabled" : true + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK" + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md b/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md index 24e41c6ac1c..297afc42550 100644 --- a/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md +++ b/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md @@ -103,6 +103,86 @@ Resources: } ``` +```yaml title="Positive test num. 3 - yaml file" hl_lines="21" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + IPV6Enabled: boolean-value + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: integer-value + OriginReadTimeout: integer-value + WebACLId: "" + Tags: + - Key: string-value + Value: string-value + +``` +
Positive test num. 4 - json file + +```json hl_lines="36" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": true, + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + }, + "IPV6Enabled": "boolean-value", + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": "integer-value", + "OriginReadTimeout": "integer-value" + } + } + ], + "WebACLId": "" + }, + "Tags": [ + { + "Value": "string-value", + "Key": "string-value" + } + ] + } + } + } +} + +``` +
#### Code samples without security vulnerabilities diff --git a/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md b/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md index 6c47e84502c..f1554035aa0 100644 --- a/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md +++ b/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md @@ -23,7 +23,7 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled) ### Description -If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
+If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.
[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html) ### Code samples diff --git a/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md b/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md index ade8b35a5d2..86f16cd2883 100644 --- a/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md +++ b/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md @@ -189,7 +189,7 @@ Resources: Principal: AWS: - arn:aws:iam::111122223333:user/Alice - - arn:aws:iam::111122223333:user/Fabio + - arn:aws:iam::111122223333:user/foo Action: s3:GetObject Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/* Condition: @@ -230,7 +230,7 @@ Resources: "Principal": { "AWS": [ "arn:aws:iam::111122223333:user/Alice", - "arn:aws:iam::111122223333:user/Fabio" + "arn:aws:iam::111122223333:user/foo" ] }, "Action": "s3:GetObject", diff --git a/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md b/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md index 4bd9710f538..e502cdab02d 100644 --- a/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md +++ b/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md @@ -1,5 +1,5 @@ --- -title: API Gateway Stage Access Logging Settings Not Defined +title: API Gateway Access Logging Disabled hide: toc: true navigation: true @@ -16,11 +16,11 @@ hide: - **Query id:** 80d45af4-4920-4236-a56e-b7ef419d1941 -- **Query name:** API Gateway Stage Access Logging Settings Not Defined +- **Query name:** API Gateway Access Logging Disabled - **Platform:** CloudFormation - **Severity:** Medium - **Category:** Observability -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined) +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled) ### Description API Gateway Stage should have Access Logging Settings defined
@@ -28,13 +28,16 @@ API Gateway Stage should have Access Logging Settings defined
### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="16" Resources: Prod: Type: AWS::ApiGateway::Stage Properties: StageName: Prod Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" RestApiId: !Ref MyRestApi DeploymentId: !Ref TestDeployment DocumentationVersion: "" @@ -65,6 +68,10 @@ Resources: "Type": "AWS::ApiGatewayV2::Stage", "Properties": { "Description": "Prod Stage", + "AccessLogSettings": { + "DestinationArn": "dest", + "Format": "format" + }, "DeploymentId": "MyDeployment", "ApiId": "CFNWebSocket", "StageName": "Prod" @@ -74,7 +81,7 @@ Resources: } ``` -```json title="Positive test num. 3 - json file" hl_lines="17" +```json title="Positive test num. 3 - json file" hl_lines="21" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -83,6 +90,10 @@ Resources: "Properties": { "StageName": "Prod", "Description": "Prod Stage", + "AccessLogSettings": { + "DestinationArn": "dest", + "Format": "format" + }, "DeploymentId": { "Ref": "MyDeployment" }, @@ -104,7 +115,7 @@ Resources: ```
Positive test num. 4 - json file -```json hl_lines="15" +```json hl_lines="19" { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { @@ -113,6 +124,10 @@ Resources: "Properties": { "StageName": "Prod", "Description": "Prod Stage", + "AccessLogSettings": { + "DestinationArn": "dest", + "Format": "format" + }, "DeploymentId": { "Ref": "MyDeployment" }, @@ -132,6 +147,297 @@ Resources: ```
+
Positive test num. 5 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGatewayV2::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "DeploymentId": { + "Ref": "MyDeployment" + }, + "ApiId": { + "Ref": "CFNWebSocket" + }, + "DefaultRouteSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + } + } + } +} +``` +
+
Positive test num. 6 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "DeploymentId": { + "Ref": "MyDeployment" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + "RestApiId": { + "Ref": "CFNWebSocket" + } + } + } + } +} +``` +
+
Positive test num. 7 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": "MyDeployment", + "RestApiId": "CFNWebSocket", + "StageName": "Prod" + } + } + } +} +``` +
+
Positive test num. 8 - yaml file + +```yaml hl_lines="4" +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" +``` +
+
Positive test num. 9 - yaml file + +```yaml hl_lines="4" +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSettings: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" +``` +
+
Positive test num. 10 - json file + +```json hl_lines="19" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": { + "Ref": "MyDeployment" + }, + "RestApiId": { + "Ref": "CFNWebSocket" + }, + "MethodSettings": { + } + } + } + } +} +``` +
+
Positive test num. 11 - yaml file + +```yaml hl_lines="4 13" +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: +``` +
+
Positive test num. 12 - json file + +```json hl_lines="21" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": { + "Ref": "MyDeployment" + }, + "RestApiId": { + "Ref": "CFNWebSocket" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "OFF", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + } + } + } +} +``` +
+
Positive test num. 13 - yaml file + +```yaml hl_lines="4 14" +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSettings: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" + DefaultRouteSettings: +``` +
+
Positive test num. 14 - yaml file + +```yaml hl_lines="14" +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: + LoggingLevel: "OFF" +``` +
+
Positive test num. 15 - yaml file + +```yaml hl_lines="15" +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSettings: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" + DefaultRouteSettings: + LoggingLevel: "OFF" +``` +
+
Positive test num. 16 - yaml file + +```yaml hl_lines="4" +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: + LoggingLevel: "ON" +``` +
+
Positive test num. 17 - yaml file + +```yaml hl_lines="4" +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" + DefaultRouteSettings: + LoggingLevel: "ON" +``` +
#### Code samples without security vulnerabilities @@ -194,57 +500,51 @@ Resources: ``` ```json title="Negative test num. 3 - json file" { - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Router53", - "Resources": { - "MyStage": { - "Type": "AWS::ApiGatewayV2::Stage", - "Properties": { - "Description": "Prod Stage", - "DeploymentId": "MyDeployment", - "ApiId": "CFNWebSocket", - "DefaultRouteSettings": { - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10, - "DetailedMetricsEnabled": true, - "LoggingLevel": "INFO", - "DataTraceEnabled": false - }, - "StageName": "Prod" - } - } - } -} - -``` -
Negative test num. 4 - json file - -```json -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Resources": { - "MyStage": { - "Type": "AWS::ApiGatewayV2::Stage", - "Properties": { - "StageName": "Prod", - "Description": "Prod Stage", - "DeploymentId": { - "Ref": "MyDeployment" - }, - "ApiId": { - "Ref": "CFNWebSocket" - }, - "DefaultRouteSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "INFO", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": { + "Ref": "MyDeployment" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + "RestApiId": { + "Ref": "CFNWebSocket" + } + } } - } } - } } +``` +
Negative test num. 4 - yaml file +```yaml +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: + LoggingLevel: "ON" + AccessLogSetting: + DestinationArn: "dest" + Format: "format" ```
diff --git a/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md b/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md index 587c8f84ca9..42c0ece1ec0 100644 --- a/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md +++ b/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md @@ -81,7 +81,7 @@ Resources: } }, "id": "f63e21c6-c58e-45cf-b7b4-6b548d9f7674", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/docs/queries/cloudformation-queries/aws/ab759fde-e1e8-4b0e-ad73-ba856e490ed8.md b/docs/queries/cloudformation-queries/aws/ab759fde-e1e8-4b0e-ad73-ba856e490ed8.md new file mode 100644 index 00000000000..8fc8f30b77c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ab759fde-e1e8-4b0e-ad73-ba856e490ed8.md @@ -0,0 +1,123 @@ +--- +title: ECS Cluster with Container Insights Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ab759fde-e1e8-4b0e-ad73-ba856e490ed8 +- **Query name:** ECS Cluster with Container Insights Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled) + +### Description +ECS Cluster should enable container insights
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-cluster.html#cfn-ecs-cluster-clustersettings) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Positive test num. 1 - yaml file" hl_lines="4" +Resources: + ECSCluster: + Type: 'AWS::ECS::Cluster' + Properties: + ClusterName: MyCluster + Tags: + - Key: environment + Value: production +``` +```json title="Positive test num. 2 - json file" hl_lines="7" +{ + "Resources": { + "ECSCluster": { + "Type": "AWS::ECS::Cluster", + "Properties": { + "ClusterName": "MyCluster", + "ClusterSettings": [], + "Tags": [ + { + "Key": "environment", + "Value": "production" + } + ] + } + } + } +} +``` +```json title="Positive test num. 3 - json file" hl_lines="7" +{ + "Resources": { + "ECSCluster": { + "Type": "AWS::ECS::Cluster", + "Properties": { + "ClusterName": "MyCluster", + "ClusterSettings": [ + { + "Name": "containerInsights", + "Value": "disabled" + } + ], + "Tags": [ + { + "Key": "environment", + "Value": "production" + } + ] + } + } + } +} +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + ECSCluster: + Type: 'AWS::ECS::Cluster' + Properties: + ClusterName: MyCluster + ClusterSettings: + - Name: containerInsights + Value: enabled + Tags: + - Key: environment + Value: production +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ECSCluster": { + "Type": "AWS::ECS::Cluster", + "Properties": { + "ClusterName": "MyCluster", + "ClusterSettings": [ + { + "Name": "containerInsights", + "Value": "enabled" + } + ], + "Tags": [ + { + "Key": "environment", + "Value": "production" + } + ] + } + } + } +} +``` diff --git a/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md b/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md deleted file mode 100644 index a707f588912..00000000000 --- a/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md +++ /dev/null @@ -1,115 +0,0 @@ ---- -title: Memcached Disabled -hide: - toc: true - navigation: true ---- - - - -- **Query id:** dd0971a6-09c3-4168-8474-a7ef8fbfd99d -- **Query name:** Memcached Disabled -- **Platform:** CloudFormation -- **Severity:** Medium -- **Category:** Encryption -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/memcached_disabled) - -### Description -Check if the Memcached is disabled on the ElastiCache
-[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-engine) - -### Code samples -#### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="7" -AWSTemplateFormatVersion: 2010-09-09 -Description: A sample template -Resources: - ElasticacheCluster3: - Type: 'AWS::ElastiCache::CacheCluster' - Properties: - Engine: redis - CacheNodeType: cache.t2.micro - NumCacheNodes: '1' - VpcSecurityGroupIds: - - !GetAtt - - ElasticacheSecurityGroup - - GroupId - -``` -```json title="Positive test num. 2 - json file" hl_lines="7" -{ - "Description": "A sample template", - "Resources": { - "ElasticacheCluster4": { - "Type": "AWS::ElastiCache::CacheCluster", - "Properties": { - "Engine": "redis", - "CacheNodeType": "cache.t2.micro", - "NumCacheNodes": "1", - "VpcSecurityGroupIds": [ - { - "Fn::GetAtt": [ - "ElasticacheSecurityGroup", - "GroupId" - ] - } - ] - } - } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" -} - -``` - - -#### Code samples without security vulnerabilities -```yaml title="Negative test num. 1 - yaml file" -AWSTemplateFormatVersion: 2010-09-09 -Description: A sample template -Resources: - ElasticacheCluster: - Type: 'AWS::ElastiCache::CacheCluster' - Properties: - Engine: memcached - CacheNodeType: cache.t2.micro - NumCacheNodes: '1' - VpcSecurityGroupIds: - - !GetAtt - - ElasticacheSecurityGroup - - GroupId - -``` -```json title="Negative test num. 2 - json file" -{ - "Description": "A sample template", - "Resources": { - "ElasticacheCluster2": { - "Type": "AWS::ElastiCache::CacheCluster", - "Properties": { - "Engine": "memcached", - "CacheNodeType": "cache.t2.micro", - "NumCacheNodes": "1", - "VpcSecurityGroupIds": [ - { - "Fn::GetAtt": [ - "ElasticacheSecurityGroup", - "GroupId" - ] - } - ] - } - } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" -} - -``` diff --git a/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md b/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md index 76e0fe38ec4..208fe418602 100644 --- a/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md +++ b/docs/queries/cloudformation-queries/aws/edbd62d4-8700-41de-b000-b3cfebb5e996.md @@ -398,7 +398,7 @@ Resources: } }, "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b", - "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml" } ] } diff --git a/docs/queries/common-queries.md b/docs/queries/common-queries.md index e4337e1d977..3e91966bca2 100644 --- a/docs/queries/common-queries.md +++ b/docs/queries/common-queries.md @@ -1,6 +1,6 @@ ## Common Queries List This page contains all queries from Common. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|High|Secret Management|Query details
Documentation
| diff --git a/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md b/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md index 01f265ab51d..4c069266e48 100644 --- a/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md +++ b/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md @@ -352,8 +352,8 @@ EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -367,8 +367,8 @@ resource "aws_ebs_volume" "web_host_storage" { tags = merge({ Name = "${local.resource_prefix.value}-ebs" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -381,8 +381,8 @@ resource "aws_ebs_snapshot" "example_snapshot" { tags = merge({ Name = "${local.resource_prefix.value}-ebs-snapshot" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -423,8 +423,8 @@ resource "aws_security_group" "web-node" { } depends_on = [aws_vpc.web_vpc] tags = { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" } @@ -437,8 +437,8 @@ resource "aws_vpc" "web_vpc" { tags = merge({ Name = "${local.resource_prefix.value}-vpc" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -453,8 +453,8 @@ resource "aws_subnet" "web_subnet" { tags = merge({ Name = "${local.resource_prefix.value}-subnet" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -469,8 +469,8 @@ resource "aws_subnet" "web_subnet2" { tags = merge({ Name = "${local.resource_prefix.value}-subnet2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -483,8 +483,8 @@ resource "aws_internet_gateway" "web_igw" { tags = merge({ Name = "${local.resource_prefix.value}-igw" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -496,8 +496,8 @@ resource "aws_route_table" "web_rtb" { tags = merge({ Name = "${local.resource_prefix.value}-rtb" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -531,8 +531,8 @@ resource "aws_network_interface" "web-eni" { tags = merge({ Name = "${local.resource_prefix.value}-primary_network_interface" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -549,8 +549,8 @@ resource "aws_flow_log" "vpcflowlogs" { Name = "${local.resource_prefix.value}-flowlogs" Environment = local.resource_prefix.value }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -564,8 +564,8 @@ resource "aws_s3_bucket" "flowbucket" { Name = "${local.resource_prefix.value}-flowlogs" Environment = local.resource_prefix.value }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -1115,8 +1115,8 @@ EOF tags = merge({ Name = "${local.resource_prefix.value}-ec2" }, { - git_last_modified_by = "felipe.avelar@checkmarx.com" - git_modifiers = "felipe.avelar" + git_last_modified_by = "email@email.com" + git_modifiers = "foo.bar" git_org = "checkmarx" git_repo = "kics" }) @@ -1859,7 +1859,7 @@ jobs: runs-on: ubuntu steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 --- @@ -1877,7 +1877,7 @@ jobs: runs-on: ubuntu steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 --- @@ -1895,7 +1895,8 @@ jobs: runs-on: ubuntu steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + ```
Negative test num. 30 - yaml file diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index eca71c9787c..5a5b2400335 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -1,43 +1,44 @@ ## Crossplane Queries List This page contains all queries from Crossplane. -### GCP -Bellow are listed queries related with Crossplane GCP: +### AZURE +Below are listed queries related to Crossplane AZURE: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Query details
Documentation
| -### AZURE -Bellow are listed queries related with Crossplane AZURE: +### AWS +Below are listed queries related to Crossplane AWS: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|Query details
Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Query details
Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|Query details
Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|Query details
Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Query details
Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|Query details
Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|Query details
Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
0c7a76d9-7dc5-499e-81ac-9245839177cb|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|Query details
Documentation
| +### GCP +Below are listed queries related to Crossplane GCP: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -### AWS -Bellow are listed queries related with Crossplane AWS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
d9dc6429-5140-498a-8f55-a10daac5f000|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false and neither dbSubnetGroupName' subnets being part of a VPC that has an Internet gateway attached to it (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|DocDB Logging Is Disabled
e6cd49ba-77ed-417f-9bca-4f5303554308|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Query details
Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Query details
Documentation
| diff --git a/docs/queries/crossplane-queries/aws/0c7a76d9-7dc5-499e-81ac-9245839177cb.md b/docs/queries/crossplane-queries/aws/0c7a76d9-7dc5-499e-81ac-9245839177cb.md new file mode 100644 index 00000000000..3194644400f --- /dev/null +++ b/docs/queries/crossplane-queries/aws/0c7a76d9-7dc5-499e-81ac-9245839177cb.md @@ -0,0 +1,76 @@ +--- +title: ECS Cluster with Container Insights Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0c7a76d9-7dc5-499e-81ac-9245839177cb +- **Query name:** ECS Cluster with Container Insights Disabled +- **Platform:** Crossplane +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled) + +### Description +ECS Cluster should enable container insights
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/ecs.aws.crossplane.io/Cluster/v1alpha1@v0.42.0#spec-forProvider-settings) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Positive test num. 1 - yaml file" hl_lines="6" +apiVersion: ecs.aws.crossplane.io/v1alpha1 +kind: Cluster +metadata: + name: example +spec: + forProvider: + region: us-east-1 +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" +apiVersion: ecs.aws.crossplane.io/v1alpha1 +kind: Cluster +metadata: + name: example +spec: + forProvider: + region: us-east-1 + settings: [] +``` +```yaml title="Positive test num. 3 - yaml file" hl_lines="8" +apiVersion: ecs.aws.crossplane.io/v1alpha1 +kind: Cluster +metadata: + name: example +spec: + forProvider: + region: us-east-1 + settings: + - name: "containerInsights" + value: "disabled" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: ecs.aws.crossplane.io/v1alpha1 +kind: Cluster +metadata: + name: example +spec: + forProvider: + region: us-east-1 + settings: + - name: "containerInsights" + value: "enabled" +``` diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 7f2035ffa26..94346787f48 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -1,26 +1,26 @@ ## DockerCompose Queries List This page contains all queries from DockerCompose. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Query details
Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Query details
Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Query details
Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Query details
Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Query details
Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Query details
Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Query details
Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Query details
Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Query details
Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Query details
Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|Query details
Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Query details
Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Query details
Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Query details
Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Query details
Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Query details
Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|Query details
Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|Query details
Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|Query details
Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Query details
Documentation
| +|Shared Volumes Between Containers
8c978947-0ff6-485c-b0c2-0bfca6026466|Info|Insecure Configurations|Query details
Documentation
| diff --git a/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md b/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md index 638a2bb8a37..3ad28af1e6a 100644 --- a/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md +++ b/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md @@ -53,16 +53,19 @@ services: - "./directory:/app" ``` -```yaml title="Positive test num. 3 - yaml file" hl_lines="5" -version: '3' +```yaml title="Positive test num. 3 - yaml file" hl_lines="11" +version: "3" services: - - service_name_3: - image: not/a-real-image:latest - command: ["launch"] + app: + build: app ports: - - "8080:8080" + - "0.0.0.0:80:80" + + internal: + build: internal + pid: "host" + ``` @@ -95,3 +98,15 @@ services: ``` +```yaml title="Negative test num. 3 - yaml file" +version: '3' + +services: + + service_name_3: + image: not/a-real-image:latest + command: ["launch"] + ports: + - "8080:8080" + +``` diff --git a/docs/queries/dockercompose-queries/8c978947-0ff6-485c-b0c2-0bfca6026466.md b/docs/queries/dockercompose-queries/8c978947-0ff6-485c-b0c2-0bfca6026466.md new file mode 100644 index 00000000000..f67e04a1998 --- /dev/null +++ b/docs/queries/dockercompose-queries/8c978947-0ff6-485c-b0c2-0bfca6026466.md @@ -0,0 +1,91 @@ +--- +title: Shared Volumes Between Containers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c978947-0ff6-485c-b0c2-0bfca6026466 +- **Query name:** Shared Volumes Between Containers +- **Platform:** DockerCompose +- **Severity:** Info +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/shared_volumes_between_containers) + +### Description +Volumes shared between containers can cause data corruption or can be used to share malicious files between containers.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Positive test num. 1 - yaml file" hl_lines="16 9" +version: "3" + +services: + frontend: + build: frontend + ports: + - "8000:80" + volumes: + - ./logic:/app + + backend: + build: backend + expose: + - 8080 + volumes: + - ./logic:/app +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="8 17" +version: "3" +services: + app: + build: app + ports: + - "0.0.0.0:80:80" + volumes: + - shared-volume:/app/uploads + depends_on: + - checker + + checker: + build: checker + expose: + - 8080 + volumes: + - shared-volume:/uploads + +volumes: + shared-volume: +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3" + +services: + frontend: + build: frontend + ports: + - "8000:80" + volumes: + - ./logic:/app + + backend: + build: backend + expose: + - 8080 + volumes: + - ./bin:/app +``` diff --git a/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md b/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md deleted file mode 100644 index 89892052c72..00000000000 --- a/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -title: Networks Not Set -hide: - toc: true - navigation: true ---- - - - -- **Query id:** ce14a68b-1668-41a0-ab7d-facd9f784742 -- **Query name:** Networks Not Set -- **Platform:** DockerCompose -- **Severity:** Medium -- **Category:** Networking and Firewall -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/networks_not_set) - -### Description -Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
-[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#networks) - -### Code samples -#### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="7" -version: '2.2' - -volumes: - front_build: - -services: - auth: - build: - context: . - dockerfile: docker_config/Dockerfile - restart: on-failure - pids_limit: 10 - cpus: 0.25 - mem_limit: 500M - -``` -```yaml title="Positive test num. 2 - yaml file" hl_lines="16" -version: '2.2' - -services: - service-service-service: - build: - context: . - dockerfile: service.dockerfile - ports: - - "6969:8080" - networks: - - service-service-frontend - restart: always - security_opt: - - no-new-privileges:true - - auth: - build: - context: . - dockerfile: docker_config/Dockerfile - restart: on-failure - pids_limit: 10 - cpus: 0.25 - mem_limit: 500M - -networks: - service-service-frontend: - -volumes: - front_build: - - -``` - - -#### Code samples without security vulnerabilities -```yaml title="Negative test num. 1 - yaml file" -version: "3.4" -services: - service-service-service: - build: - context: . - dockerfile: service.dockerfile - ports: - - "6969:8080" - networks: - - service-service-frontend - restart: always - security_opt: - - no-new-privileges:true - -networks: - service-service-frontend: - -``` diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 2cdaa6c7b64..356711e96ec 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -1,54 +1,54 @@ ## Dockerfile Queries List This page contains all queries from Dockerfile. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Query details
Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|Query details
Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|Query details
Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Query details
Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|Query details
Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|Query details
Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|Query details
Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|Query details
Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Query details
Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Query details
Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|Query details
Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Query details
Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Query details
Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|Query details
Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Query details
Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Query details
Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|Query details
Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Query details
Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Query details
Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Query details
Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|Query details
Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Query details
Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Query details
Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Query details
Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Query details
Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Query details
Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Query details
Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|Query details
Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Query details
Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Query details
Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Query details
Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Query details
Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Query details
Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Query details
Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|Query details
Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|Query details
Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Query details
Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|Query details
Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Query details
Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|Query details
Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Query details
Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Query details
Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process|Query details
Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Query details
Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|Query details
Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Query details
Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Query details
Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|Query details
Documentation
| diff --git a/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md b/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md index 5e67dcbf391..42b58a75223 100644 --- a/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md +++ b/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md @@ -92,7 +92,7 @@ ADD __BUILD_NUMBER ./four ```dockerfile FROM golang:1.16 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -102,7 +102,7 @@ ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick diff --git a/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md b/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md index df94468e1d6..96aacbe6663 100644 --- a/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md +++ b/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md @@ -30,7 +30,7 @@ There can only be one CMD instruction in a Dockerfile. If you list more than one #### Code samples with security vulnerabilities ```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="11" FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -38,7 +38,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . CMD ["./app"] CMD ["./apps"] @@ -48,7 +48,7 @@ CMD ["./apps"] #### Code samples without security vulnerabilities ```dockerfile title="Negative test num. 1 - dockerfile file" FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -57,6 +57,6 @@ CMD ["./app"] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . CMD ["./app"] ``` diff --git a/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md b/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md index b992239e1a0..b5973ad4ab6 100644 --- a/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md +++ b/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md @@ -30,7 +30,7 @@ hide: #### Code samples with security vulnerabilities ```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="10" FROM golang:1.16 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -38,7 +38,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app ./ +COPY --from=0 /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] ``` @@ -47,7 +47,7 @@ CMD ["./app"] #### Code samples without security vulnerabilities ```dockerfile title="Negative test num. 1 - dockerfile file" FROM golang:1.7.3 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -56,7 +56,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +COPY --from=builder /go/src/github.com/foo/href-counter/app . CMD ["./app"] ``` diff --git a/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md b/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md index f9f85f148ce..8c90217d2ee 100644 --- a/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md +++ b/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md @@ -30,7 +30,7 @@ There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTR #### Code samples with security vulnerabilities ```dockerfile title="Positive test num. 1 - dockerfile file" hl_lines="11" FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -38,7 +38,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ] @@ -48,7 +48,7 @@ ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ] #### Code samples without security vulnerabilities ```dockerfile title="Negative test num. 1 - dockerfile file" FROM golang:1.7.3 -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -57,6 +57,6 @@ ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +COPY --from=0 /go/src/github.com/foo/href-counter/app . ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] ``` diff --git a/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md b/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md index 58568586d0d..368400ad414 100644 --- a/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md +++ b/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md @@ -28,15 +28,68 @@ Instruction 'RUN update' should always be followed by 'Positive test num. 4 - dockerfile file + +```dockerfile hl_lines="3" +FROM centos:latest +RUN yum update +RUN yum install nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Positive test num. 5 - dockerfile file + +```dockerfile hl_lines="3" +FROM fedora:latest +RUN dnf update +RUN dnf install nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Positive test num. 6 - dockerfile file + +```dockerfile hl_lines="3" +FROM archlinux:latest +RUN pacman -Syu +RUN pacman -S nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Positive test num. 7 - dockerfile file + +```dockerfile hl_lines="3" FROM ubuntu:18.04 RUN apt-get update RUN apt-get install -y --no-install-recommends mysql-client \ && rm -rf /var/lib/apt/lists/* RUN apk update ENTRYPOINT ["mysql"] - ``` +
#### Code samples without security vulnerabilities @@ -51,3 +104,97 @@ RUN apk --update add easy-rsa ENTRYPOINT ["mysql"] ``` +```dockerfile title="Negative test num. 2 - dockerfile file" +FROM ubuntu:18.04 +RUN apt-get update && apt-get install -y netcat \ + apt-get update && apt-get install -y supervisor +ENTRYPOINT ["mysql"] + +``` +```dockerfile title="Negative test num. 3 - dockerfile file" +FROM ubuntu:16.04 + +RUN apt-get update \ + && apt-get install -y --no-install-recommends zend-server-php-5.6=8.5.17+b19 \ + && rm -rf /var/lib/apt/lists/* + +RUN /usr/local/zend/bin/php -r "readfile('https://getcomposer.org/installer');" | /usr/local/zend/bin/php \ + && /usr/local/zend/bin/php composer.phar self-update && /usr/local/zend/bin/php composer.phar update +``` +
Negative test num. 4 - dockerfile file + +```dockerfile +FROM archlinux:latest +RUN pacman -Syu && pacman -S nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Negative test num. 5 - dockerfile file + +```dockerfile +FROM ubuntu:18.04 +RUN apt-get update && apt-get install -y --no-install-recommends mysql-client \ + && rm -rf /var/lib/apt/lists/* +RUN apk update +ENTRYPOINT ["mysql"] + +``` +
+
Negative test num. 6 - dockerfile file + +```dockerfile +FROM opensuse:latest +RUN zypper refresh && zypper install nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Negative test num. 7 - dockerfile file + +```dockerfile +FROM debian:latest +RUN apt update && install nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Negative test num. 8 - dockerfile file + +```dockerfile +FROM centos:latest +RUN yum update && yum install nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Negative test num. 9 - dockerfile file + +```dockerfile +FROM fedora:latest +RUN dnf update && dnf install nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Negative test num. 10 - dockerfile file + +```dockerfile +FROM alpine:latest +RUN apk update && apk add nginx +RUN apk --update-cache add vim +RUN apk -U add nano + +CMD ["nginx", "-g", "daemon off;"] +``` +
+
Negative test num. 11 - dockerfile file + +```dockerfile +FROM alpine:latest +RUN apk --update add nginx +RUN apk add --update nginx + +CMD ["nginx", "-g", "daemon off;"] +``` +
diff --git a/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md b/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md index 4aecc3e72c8..48da98ca6ad 100644 --- a/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md +++ b/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md @@ -38,7 +38,7 @@ RUN dir c:\ #### Code samples without security vulnerabilities ```dockerfile title="Negative test num. 1 - dockerfile file" FROM golang:1.7.3 AS builder -WORKDIR /go/src/github.com/alexellis/href-counter/ +WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . @@ -47,7 +47,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ -COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +COPY --from=builder /go/src/github.com/foo/href-counter/app . CMD ["./app"] ``` diff --git a/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md b/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md index 7a42e9ddd44..f55994b924c 100644 --- a/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md +++ b/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md @@ -24,7 +24,7 @@ hide: ### Description When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.
-[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir) +[Documentation](https://docs.docker.com/develop/develop-images/instructions/#workdir) ### Code samples #### Code samples with security vulnerabilities diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 5399229d8ab..24232abf4f7 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -1,53 +1,53 @@ ## GoogleDeploymentManager Queries List This page contains all queries from GoogleDeploymentManager. -### GCP -Bellow are listed queries related with GoogleDeploymentManager GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| - ### GCP_BOM -Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: +Below are listed queries related to GoogleDeploymentManager GCP_BOM: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|Query details
Documentation
| + +### GCP +Below are listed queries related to GoogleDeploymentManager GCP: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Query details
Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Query details
Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|Query details
Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Query details
Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|Query details
Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Query details
Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Query details
Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Query details
Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Query details
Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Query details
Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Query details
Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|Query details
Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Query details
Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Query details
Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Query details
Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Query details
Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Query details
Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Query details
Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Query details
Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Query details
Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|Query details
Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Query details
Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|Query details
Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|Query details
Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Query details
Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|Query details
Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Query details
Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Query details
Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Query details
Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Query details
Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|Query details
Documentation
| diff --git a/docs/queries/grpc-queries.md b/docs/queries/grpc-queries.md index e876f7ab4bb..0dde2f2198c 100644 --- a/docs/queries/grpc-queries.md +++ b/docs/queries/grpc-queries.md @@ -1,6 +1,6 @@ ## GRPC Queries List This page contains all queries from GRPC. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|Low|Best Practices|Query details
Documentation
| diff --git a/docs/queries/knative-queries.md b/docs/queries/knative-queries.md index 245d3897b60..992b6dd8773 100644 --- a/docs/queries/knative-queries.md +++ b/docs/queries/knative-queries.md @@ -1,6 +1,6 @@ ## Knative Queries List This page contains all queries from Knative. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Info|Insecure Configurations|Query details
Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index 4b66afc9aa1..2072750588c 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -1,151 +1,151 @@ ## Kubernetes Queries List This page contains all queries from Kubernetes. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Query details
Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|Query details
Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|Query details
Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|Query details
Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Query details
Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|Query details
Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|Query details
Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|Query details
Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|Query details
Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|Query details
Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Query details
Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Query details
Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Query details
Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Query details
Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Query details
Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Query details
Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Query details
Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|Query details
Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|Query details
Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|Query details
Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|Query details
Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|Query details
Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|Query details
Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|Query details
Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|Query details
Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Query details
Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|Query details
Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|Query details
Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|Query details
Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|Query details
Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|Query details
Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|Query details
Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Query details
Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|Query details
Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Query details
Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Query details
Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|Query details
Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|Query details
Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|Query details
Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Query details
Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|Query details
Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|Query details
Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Query details
Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Query details
Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Query details
Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Query details
Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|Query details
Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|Query details
Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|Query details
Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|Query details
Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|Query details
Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Query details
Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Query details
Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|Query details
Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|Query details
Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Query details
Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|Query details
Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|Query details
Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Query details
Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Query details
Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Query details
Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Query details
Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Query details
Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Query details
Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|Query details
Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Query details
Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Query details
Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Query details
Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Query details
Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|Query details
Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Query details
Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|Query details
Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|Query details
Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|Query details
Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Query details
Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|Query details
Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Query details
Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Query details
Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Query details
Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Query details
Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|Query details
Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|Query details
Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Query details
Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|Query details
Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|Query details
Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Query details
Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|Query details
Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Query details
Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|Query details
Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|Query details
Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|Query details
Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|Query details
Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Query details
Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Query details
Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Query details
Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|Query details
Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|Query details
Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|Query details
Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|Query details
Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|Query details
Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Query details
Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Query details
Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Query details
Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Query details
Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Query details
Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|Query details
Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|Query details
Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|Query details
Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Query details
Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Query details
Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Query details
Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Query details
Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Query details
Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Query details
Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Query details
Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Query details
Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Query details
Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|Query details
Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|Query details
Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|Query details
Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|Query details
Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|Query details
Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Query details
Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Query details
Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Query details
Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Query details
Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|Query details
Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|Query details
Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Query details
Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Query details
Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|Query details
Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Query details
Documentation
| diff --git a/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md b/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md index 6064a79dae5..1feda001660 100644 --- a/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md +++ b/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md @@ -92,7 +92,7 @@ spec: - name: command-demo-container image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 command: ["kube-apiserver"] - args: ["--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml"] + args: ["--audit-policy-file=/home/foo/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml"] restartPolicy: OnFailure --- apiVersion: audit.k8s.io/v1 # This is required. @@ -176,7 +176,7 @@ spec: containers: - name: command-demo-container image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 - command: ["kube-apiserver","--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml"] + command: ["kube-apiserver","--audit-policy-file=/home/foo/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml"] args: [] restartPolicy: OnFailure --- diff --git a/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md b/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md index dcfcf6756e7..f7df98ccbf2 100644 --- a/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md +++ b/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--event-qps=1"] restartPolicy: OnFailure @@ -54,7 +54,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--event-qps=3"] args: [] restartPolicy: OnFailure @@ -101,7 +101,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--event-qps=0"] restartPolicy: OnFailure @@ -117,7 +117,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md b/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md index b0908e83f23..9da2571f4d1 100644 --- a/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md +++ b/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md @@ -50,7 +50,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--feature-gates=RotateKubeletServerCertificate=false"] restartPolicy: OnFailure @@ -116,7 +116,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--feature-gates=RotateKubeletServerCertificate=true"] restartPolicy: OnFailure @@ -145,7 +145,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md b/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md index a2d47cf0aea..d440421b87b 100644 --- a/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md +++ b/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md @@ -69,7 +69,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--anonymous-auth=true"] restartPolicy: OnFailure @@ -86,7 +86,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=true"] restartPolicy: OnFailure @@ -167,7 +167,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=false"] restartPolicy: OnFailure @@ -185,7 +185,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--anonymous-auth=false"] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md b/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md index bcfd14d6480..719106054d6 100644 --- a/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md +++ b/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--read-only-port=1"] restartPolicy: OnFailure @@ -54,7 +54,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--read-only-port=1"] restartPolicy: OnFailure @@ -94,7 +94,7 @@ metadata: spec: containers: - name: kubelet-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--read-only-port=0"] restartPolicy: OnFailure @@ -110,7 +110,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--read-only-port=0"] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md b/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md index 7e045490a24..47724895803 100644 --- a/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md +++ b/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] restartPolicy: OnFailure @@ -122,7 +122,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] restartPolicy: OnFailure @@ -138,7 +138,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md b/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md index dff7389353a..4dcaddfa7aa 100644 --- a/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md +++ b/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--rotate-certificates=false"] restartPolicy: OnFailure @@ -94,7 +94,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--rotate-certificates"] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md b/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md index 32a533cd8d5..85fcd1efe50 100644 --- a/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md +++ b/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--make-iptables-util-chains=false"] restartPolicy: OnFailure @@ -82,7 +82,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--make-iptables-util-chains=true"] restartPolicy: OnFailure @@ -121,7 +121,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md b/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md index 8c4d4984249..acce9945472 100644 --- a/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md +++ b/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--protect-kernel-defaults=false"] restartPolicy: OnFailure @@ -54,7 +54,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--protect-kernel-defaults=false"] args: [] restartPolicy: OnFailure @@ -101,7 +101,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--protect-kernel-defaults=true"] restartPolicy: OnFailure @@ -117,7 +117,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md b/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md index 3c8f26a99e0..8ba822375d6 100644 --- a/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md +++ b/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--hostname-override=host"] restartPolicy: OnFailure @@ -54,7 +54,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet","--hostname-override=host"] args: [] restartPolicy: OnFailure @@ -73,7 +73,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md b/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md index 91f0a402ae4..a71c1d677e9 100644 --- a/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md +++ b/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--client-ca-file=/var/lib/ca.txt"] restartPolicy: OnFailure @@ -145,7 +145,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--client-ca-file=/var/lib/ca.pem"] restartPolicy: OnFailure @@ -161,7 +161,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md b/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md index 8de862c12cf..6ac2a759d99 100644 --- a/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md +++ b/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md @@ -38,7 +38,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--streaming-connection-idle-timeout=0"] restartPolicy: OnFailure @@ -82,7 +82,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [""] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md b/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md index 25514ba0ee8..86abc712418 100644 --- a/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md +++ b/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md @@ -70,7 +70,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--anonymous-auth=false", "--authorization-mode=MyMode,AlwaysAllow"] @@ -89,7 +89,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--authorization-mode=MyMode,AlwaysAllow"] restartPolicy: OnFailure @@ -169,7 +169,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: ["--authorization-mode=MyMode"] restartPolicy: OnFailure @@ -187,7 +187,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet", "--authorization-mode=MyMode"] restartPolicy: OnFailure diff --git a/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md b/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md index c9e4799ffbf..63d9194121b 100644 --- a/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md +++ b/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md @@ -102,7 +102,7 @@ metadata: spec: containers: - name: command-demo-container - image: joaodanielrufino/kubelet + image: foo/bar command: ["kubelet"] args: [] restartPolicy: OnFailure diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index d20ce63adb4..baf41013881 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -1,297 +1,297 @@ ## OpenAPI Queries List This page contains all queries from OpenAPI. -### 3.0 -Bellow are listed queries related with OpenAPI 3.0: +### 2.0 +Below are listed queries related to OpenAPI 2.0: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Query details
Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|Query details
Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|Query details
Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|Query details
Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Query details
Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|Query details
Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Query details
Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|Query details
Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Query details
Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Query details
Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Query details
Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Query details
Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Query details
Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Query details
Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Query details
Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Query details
Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Query details
Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Query details
Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|Query details
Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|Query details
Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|Query details
Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|Query details
Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|Query details
Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|Query details
Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|Query details
Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|Query details
Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|Query details
Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Query details
Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|Query details
Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Query details
Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Query details
Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|Query details
Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|Query details
Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Query details
Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|Query details
Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|Query details
Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|Query details
Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Query details
Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Query details
Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Query details
Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Query details
Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Query details
Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Query details
Documentation
| -### 2.0 -Bellow are listed queries related with OpenAPI 2.0: +### SHARED (V2/V3) +Below are listed queries related to OpenAPI SHARED (V2/V3): -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions
Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Query details
Documentation
| +|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|
Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Query details
Documentation
| +|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|
Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Query details
Documentation
| +|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|
Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Query details
Documentation
| +|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|
Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|Query details
Documentation
| +|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|
Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|Query details
Documentation
| +|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|
Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Query details
Documentation
| +|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set
Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Query details
Documentation
| +|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined
Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Query details
Documentation
| +|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|
Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|Query details
Documentation
| +|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|
Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|Query details
Documentation
| +|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|
Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Query details
Documentation
| +|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|
Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Query details
Documentation
| +|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.
Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|Query details
Documentation
| +|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|
Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|Query details
Documentation
| +|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|
Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|Query details
Documentation
| +|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|
Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Query details
Documentation
| +|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.
Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|Query details
Documentation
| +|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|
Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Query details
Documentation
| +|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|
Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Query details
Documentation
| +|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Query details
Documentation
| +|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|
Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|Query details
Documentation
| +|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined
Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|Query details
Documentation
| +|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|
Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|
Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Query details
Documentation
| +|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|
Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Query details
Documentation
| +|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|
Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|Query details
Documentation
| +|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|
Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|Query details
Documentation
| +|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|
Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Query details
Documentation
| +|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|
Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Query details
Documentation
| +|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|
Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Query details
Documentation
| +|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|
Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Query details
Documentation
| +|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|
Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Query details
Documentation
| +|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|
Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Query details
Documentation
| +|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|
Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Query details
Documentation
| +|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|
Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Query details
Documentation
| +|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|
Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|Query details
Documentation
| +|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|
Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Query details
Documentation
| +|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|
Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Query details
Documentation
| +|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|
Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|Query details
Documentation
| +|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|
Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|Query details
Documentation
| +|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|
Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Query details
Documentation
| +|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords
Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Query details
Documentation
| +|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|
Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|Query details
Documentation
| +|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|
Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|Query details
Documentation
| +|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|
Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|
Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Query details
Documentation
| +|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|
Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|Query details
Documentation
| +|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|
Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Query details
Documentation
| +|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|
Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|Query details
Documentation
| +|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|
Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Query details
Documentation
| +|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type
Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|Query details
Documentation
| +|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|
Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Query details
Documentation
| +|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|
Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Query details
Documentation
| +|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|
Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|Query details
Documentation
| +|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|
Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|
Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Query details
Documentation
| +|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|
Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|Query details
Documentation
| +|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|
Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Query details
Documentation
| +|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type
Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|
Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Query details
Documentation
| +|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|
Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Query details
Documentation
| +|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|
Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|Query details
Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|
Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Query details
Documentation
| +|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|
Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|Query details
Documentation
| +|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|
Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|Query details
Documentation
| +|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|
Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Query details
Documentation
| +|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|
Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Query details
Documentation
| +|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|
Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Query details
Documentation
| +|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|
Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|Query details
Documentation
| -### SHARED (V2/V3) -Bellow are listed queries related with OpenAPI SHARED (V2/V3): +### 3.0 +Below are listed queries related to OpenAPI 3.0: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control||Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| -|No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control||Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control||Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| -|Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control||Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| -|Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control||Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| -|Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control||Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| -|Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| -|Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| -|API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control||Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control||Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| -|Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations||Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| -|String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations||Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| -|JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations||Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| -|Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations||Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| -|JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations||Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| -|Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations||Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| -|Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations||Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| -|Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| -|Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| -|Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| -|Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall||Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| -|Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| -|Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall||Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| -|Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| -|Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall||Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| -|Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall||Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| -|API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control||Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| -|Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations||Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| -|Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices||Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| -|Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices||Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| -|Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices||Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| -|Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices||Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| -|Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices||Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| -|Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices||Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| -|Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices||Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| -|Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices||Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| -|Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices||Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices||Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| -|Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices||Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| -|Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices||Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| -|Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices||Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| -|Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices||Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| -|Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices||Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| -|JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices||Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| -|Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics||Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| -|Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics||Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics||Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| -|Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| -|Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics||Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| -|Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics||Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| -|Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics||Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| -|Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics||Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics||Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| -|OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics||Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| -|Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics||Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| -|Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics||Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| -|Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics||Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| -|Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics||Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| -|Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics||Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| -|Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics||Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| -|Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics||Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| -|Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics||Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| -|Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics||Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| -|Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics||Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| -|Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics||Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics||Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| -|Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| -|Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics||Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| -|Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics||Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Query details
Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Query details
Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|Query details
Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Query details
Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Query details
Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|Query details
Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Query details
Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Query details
Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|Query details
Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|Query details
Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|Query details
Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Query details
Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Query details
Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|Query details
Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|Query details
Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Query details
Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|Query details
Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Query details
Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|Query details
Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Query details
Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Query details
Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Query details
Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|Query details
Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Query details
Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Query details
Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Query details
Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|Query details
Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|Query details
Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Query details
Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Query details
Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Query details
Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Query details
Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Query details
Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Query details
Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Query details
Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Query details
Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Query details
Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Query details
Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Query details
Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|Query details
Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|Query details
Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|Query details
Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Query details
Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Query details
Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Query details
Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Query details
Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Query details
Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|Query details
Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Query details
Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|Query details
Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Query details
Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Query details
Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Query details
Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Query details
Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Query details
Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Query details
Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Query details
Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Query details
Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Query details
Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Query details
Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|Query details
Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Query details
Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Query details
Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|Query details
Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Query details
Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Query details
Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Query details
Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Query details
Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Query details
Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Query details
Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Query details
Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|Query details
Documentation
| diff --git a/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md b/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md index aa5647e8f96..072b3a92ced 100644 --- a/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md +++ b/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md @@ -354,6 +354,182 @@ paths: ``` +
Positive test num. 7 - json file + +```json hl_lines="28 23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32", + "pattern": "[a-z0-9-]*" + }, + "message": { + "type": "string", + "pattern": "[a-z]{3,}" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Positive test num. 8 - json file + +```json hl_lines="28" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32", + "pattern": "[a-z0-9-]{2,3}" + }, + "message": { + "type": "string", + "pattern": "[a-z]+" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Positive test num. 9 - json file + +```json hl_lines="46 55" +{ + "components": { + "securitySchemes": { + "Basic1": { + "scheme": "basic", + "type": "http" + }, + "JWT1": { + "scheme": "basic", + "type": "http" + }, + "JWT1-1": { + "bearerFormat": "JWT", + "scheme": "bearer", + "type": "http" + } + } + }, + "info": { + "description": "Swagger auto-generated from learnt schema for ves-io-demo-app-waap-sentence-api", + "title": "ves-io-demo-app-waap-sentence-api", + "version": "2023-06-21 13:26:46" + }, + "openapi": "3.0.3", + "paths": { + "/api/adjectives": { + "get": { + "description": "Swagger auto-generated from learnt schema", + "parameters": [ + { + "description": "IPv4 Address", + "in": "header", + "name": "xff", + "schema": { + "pattern": "(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)", + "type": "string", + "x-pii": {} + } + }, + { + "description": "Word", + "in": "header", + "name": "x-f5-request-id", + "schema": { + "pattern": "[a-z0-9-]+", + "type": "string" + } + }, + { + "description": "Word", + "in": "cookie", + "name": "_imp_apg_r_", + "schema": { + "pattern": "[a-z0-9-]+", + "type": "string" + } + } + ], + "responses": { + "default": { + "description": "" + } + }, + "security": [ + { + "JWT1": [] + } + ] + } + } + }, + "servers": [ + ] +} + +``` +
#### Code samples without security vulnerabilities @@ -710,3 +886,99 @@ paths: ``` +
Negative test num. 7 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32", + "pattern": "[a-z0-9-]" + }, + "message": { + "type": "string", + "pattern": "[a-z]{3}" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Negative test num. 8 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32", + "pattern": "[a-z0-9-]?" + }, + "message": { + "type": "string", + "pattern": "[a-z]\\{2,\\}" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index 49a2a23334f..f27b4068508 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -1,55 +1,56 @@ ## Pulumi Queries List This page contains all queries from Pulumi. -### GCP -Bellow are listed queries related with Pulumi GCP: +### AZURE +Below are listed queries related to Pulumi AZURE: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Query details
Documentation
| -### KUBERNETES -Bellow are listed queries related with Pulumi KUBERNETES: +### AWS +Below are listed queries related to Pulumi AWS: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|High|Access Control|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|High|Insecure Configurations|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|High|Networking and Firewall|Query details
Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|Query details
Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|Query details
Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|Query details
Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|Query details
Documentation
| +|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|Query details
Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
abcefee4-a0c1-4245-9f82-a473f79a9e2f|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Low|Observability|Query details
Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|Query details
Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|Query details
Documentation
| +### KUBERNETES +Below are listed queries related to Pulumi KUBERNETES: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -### AZURE -Bellow are listed queries related with Pulumi AZURE: +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Query details
Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Query details
Documentation
| +### GCP +Below are listed queries related to Pulumi GCP: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| -### AWS -Bellow are listed queries related with Pulumi AWS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Amazon DMS Replication Instance Is Publicly Accessible
bccb296f-362c-4b05-9221-86d1437a1016|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
647de8aa-5a42-41b5-9faf-22136f117380|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
00603add-7f72-448f-a6c0-9e456a7a3f94|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|Elasticsearch Logs Disabled
a1120ee4-a712-42d9-8fb5-22595fed643b|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|DocDB Logging Is Disabled
2ca87964-fe7e-4cdc-899c-427f0f3525f8|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Query details
Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|Query details
Documentation
| diff --git a/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md b/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md index a4eb9b9e30f..b768bb90047 100644 --- a/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md +++ b/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md @@ -18,7 +18,7 @@ hide: - **Query id:** 327b0729-4c5c-4c44-8b5c-e476cd9c7290 - **Query name:** DynamoDB Table Point In Time Recovery Disabled - **Platform:** Pulumi -- **Severity:** Info +- **Severity:** Medium - **Category:** Best Practices - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled) diff --git a/docs/queries/pulumi-queries/aws/abcefee4-a0c1-4245-9f82-a473f79a9e2f.md b/docs/queries/pulumi-queries/aws/abcefee4-a0c1-4245-9f82-a473f79a9e2f.md new file mode 100644 index 00000000000..2478904b7ef --- /dev/null +++ b/docs/queries/pulumi-queries/aws/abcefee4-a0c1-4245-9f82-a473f79a9e2f.md @@ -0,0 +1,78 @@ +--- +title: ECS Cluster with Container Insights Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** abcefee4-a0c1-4245-9f82-a473f79a9e2f +- **Query name:** ECS Cluster with Container Insights Disabled +- **Platform:** Pulumi +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled) + +### Description +ECS Cluster should enable container insights
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/ecs/cluster/#settings_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Positive test num. 1 - yaml file" hl_lines="8" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + foo: + type: aws:ecs:Cluster + properties: + settings: + - name: containerInsights + value: disabled +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + foo: + type: aws:ecs:Cluster + properties: + settings: [] +``` +```yaml title="Positive test num. 3 - yaml file" hl_lines="7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + foo: + type: aws:ecs:Cluster + properties: + description: example + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + foo: + type: aws:ecs:Cluster + properties: + settings: + - name: containerInsights + value: enabled +``` diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index 4faa0e7640e..32c975e2fa1 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -1,15 +1,15 @@ ## ServerlessFW Queries List This page contains all queries from ServerlessFW. -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Query details
Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Query details
Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Query details
Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Query details
Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Query details
Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Query details
Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Query details
Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Query details
Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Query details
Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index b7bea79c4d3..2a147588776 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -1,752 +1,761 @@ ## Terraform Queries List This page contains all queries from Terraform. -### SHARED (V2/V3) -Bellow are listed queries related with Terraform SHARED (V2/V3): +### AWS_BOM +Below are listed queries related to Terraform AWS_BOM: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|Query details
Documentation
| -### AWS_BOM -Bellow are listed queries related with Terraform AWS_BOM: +### TENCENTCLOUD +Below are listed queries related to Terraform TENCENTCLOUD: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Disk Encryption Disabled
1ee0f202-31da-49ba-bbce-04a989912e4b|Medium|Encryption|Query details
Documentation
| ### ALICLOUD -Bellow are listed queries related with Terraform ALICLOUD: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +Below are listed queries related to Terraform ALICLOUD: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|Query details
Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|Query details
Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|Query details
Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|Query details
Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|Query details
Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|Query details
Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|Query details
Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Query details
Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|Query details
Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|Query details
Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Query details
Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|Query details
Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|Query details
Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|Query details
Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Query details
Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|Query details
Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|Query details
Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|Query details
Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|Query details
Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Query details
Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Query details
Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Query details
Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|Query details
Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|Query details
Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Query details
Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|Query details
Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|Query details
Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Query details
Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Query details
Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|Query details
Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Query details
Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|Query details
Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Query details
Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|Query details
Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|Query details
Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|Query details
Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|Query details
Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Query details
Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Query details
Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Query details
Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|Query details
Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|Query details
Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|Query details
Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|Query details
Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|Query details
Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|Query details
Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|Query details
Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Query details
Documentation
| -### NIFCLOUD -Bellow are listed queries related with Terraform NIFCLOUD: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Nifcloud DNS Has Verified Record
a1defcb6-55e8-4511-8c2a-30b615b0e057|High|Insecure Configurations|Removing verified record of TXT auth the risk that If the authentication record remains, anyone can register the zone (read more)|Documentation
| -|Nifcloud ELB Listener Use HTTP Protocol
afcb0771-4f94-44ed-ad4a-9f73f11ce6e0|High|Insecure Configurations|The elb listener use http protocol (read more)|Documentation
| -|Nifcloud LB Listener Use HTTP Port
9f751a80-31f0-43a3-926c-20772791a038|High|Insecure Configurations|The lb listener use http port (read more)|Documentation
| -|Nifcloud LB Use Insecure TLS Policy ID
944439c7-b4b8-476a-8f83-14641ea876ba|High|Insecure Configurations|The lb use insecure tls policy (read more)|Documentation
| -|Nifcloud LB Use HTTP Port
94e47f3f-b90b-43a1-a36d-521580bae863|High|Insecure Configurations|The lb use http port (read more)|Documentation
| -|Nifcloud LB Use Insecure TLS Policy Name
675e8eaa-2754-42b7-bf33-bfa295d1601d|High|Insecure Configurations|The lb use insecure tls policy (read more)|Documentation
| -|Nifcloud ELB Use HTTP Protocol
e2de2b80-2fc2-4502-a764-40930dfcc70a|High|Insecure Configurations|The elb use http protocol (read more)|Documentation
| -|Nifcloud NAS Has Public Ingress NAS Security Group Rule
8d7758a7-d9cd-499a-a83e-c9bdcbff728d|High|Networking and Firewall|An ingress nas security group rule allows traffic from /0 (read more)|Documentation
| -|Nifcloud Computing Undefined Security Group To Instance
89218b48-75c9-4cb3-aaba-5299e852e8bc|High|Networking and Firewall|Missing security group for instance (read more)|Documentation
| -|Nifcloud Computing Has Public Ingress Security Group Rule
b2ea2367-8dc9-4231-a035-d0b28bfa3dde|High|Networking and Firewall|An ingress security group rule allows traffic from /0 (read more)|Documentation
| -|Nifcloud Router Undefined Security Group To Router
e7dada38-af20-4899-8955-dabea84ab1f0|High|Networking and Firewall|Missing security group for router (read more)|Documentation
| -|Nifcloud RDB Has Public DB Ingress Security Group Rule
a0b846e8-815f-4f15-b660-bc4ab9fa1e1a|High|Networking and Firewall|An db ingress security group rule allows traffic from /0 (read more)|Documentation
| -|Nifcloud RDB Has Public DB Access
fb387023-e4bb-42a8-9a70-6708aa7ff21b|High|Networking and Firewall|The rdb has public db access (read more)|Documentation
| -|Nifcloud Vpn Gateway Undefined Security Group To Vpn Gateway
b3535a48-910c-47f8-8b3b-14222f29ef80|High|Networking and Firewall|Missing security group for vpn gateway (read more)|Documentation
| -|Nifcloud RDB Has Backup Retention Less Than 2 Day
e5071f76-cbe7-468d-bb2b-d10f02d2b713|Medium|Backup|The rdb has backup retention less than 2 day (read more)|Documentation
| -|Nifcloud Router Has Common Private Network
30c2760c-740e-4672-9d7f-2c29e0cb385d|Low|Networking and Firewall|The router has common private network (read more)|Documentation
| -|Nifcloud ELB Has Common Private Network
5061f84c-ab66-4660-90b9-680c9df346c0|Low|Networking and Firewall|The elb has common private network (read more)|Documentation
| -|Nifcloud NAS Has Common Private Network
4b801c38-ebb4-4c81-984b-1ba525d43adf|Low|Networking and Firewall|The nas has common private network (read more)|Documentation
| -|Nifcloud RDB Has Common Private Network
9bf57c23-fbab-4222-85f3-3f207a53c6a8|Low|Networking and Firewall|The rdb has common private network (read more)|Documentation
| -|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Low|Networking and Firewall|The instance has common private network (read more)|Documentation
| -|Nifcloud RDB Undefined Description To DB Security Group
940ddce2-26bd-4e31-a9b4-382714f73231|Low|Networking and Firewall|Missing description for db security group (read more)|Documentation
| -|Nifcloud Computing Undefined Description To Security Group
41c127a9-3a85-4bc3-a333-ed374eb9c3e4|Low|Networking and Firewall|Missing description for security group (read more)|Documentation
| -|Nifcloud Computing Undefined Description To Security Group Rule
e4610872-0b1c-4fb7-ab57-d81c0afdb291|Low|Networking and Firewall|Missing description for security group rule (read more)|Documentation
| -|Nifcloud NAS Undefined Description To NAS Security Group
e840c54a-7a4c-405f-b8c1-c49a54b87d11|Low|Networking and Firewall|Missing description for nas security group (read more)|Documentation
| +### AZURE +Below are listed queries related to Terraform AZURE: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Query details
Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|Query details
Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Query details
Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Query details
Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Query details
Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Query details
Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Query details
Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Query details
Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Query details
Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Query details
Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Query details
Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Query details
Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Query details
Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Query details
Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|Query details
Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Query details
Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|Query details
Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Query details
Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Query details
Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Query details
Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Query details
Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Query details
Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Query details
Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|Query details
Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Query details
Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Query details
Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|Query details
Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Query details
Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Query details
Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Query details
Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Query details
Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|Query details
Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|Query details
Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Query details
Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|Query details
Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Query details
Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Query details
Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Query details
Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Query details
Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Query details
Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Query details
Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Query details
Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Query details
Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Query details
Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Query details
Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Query details
Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Query details
Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Query details
Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Query details
Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Query details
Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Query details
Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Query details
Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Query details
Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Query details
Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Query details
Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Query details
Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Query details
Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Query details
Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Query details
Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Query details
Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Query details
Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|Query details
Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Query details
Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Query details
Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|Query details
Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Query details
Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Query details
Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Query details
Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Query details
Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Query details
Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Query details
Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Query details
Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Query details
Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Query details
Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Query details
Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Query details
Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Query details
Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|Query details
Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Query details
Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Query details
Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Query details
Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Query details
Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|Query details
Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|Query details
Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Query details
Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Query details
Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Query details
Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Query details
Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|Query details
Documentation
| -### GCP -Bellow are listed queries related with Terraform GCP: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SSL enabled (read more)|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| -|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|GKE cluster nodes must be launched with Shielded VM enabled, which means the attribute 'enable_shielded_nodes' must be set to 'true'. (read more)|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +### AWS +Below are listed queries related to Terraform AWS: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|Query details
Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|Query details
Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|Query details
Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|Query details
Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Query details
Documentation
| +|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|Query details
Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|Query details
Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|Query details
Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Query details
Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|Query details
Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|Query details
Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Query details
Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|Query details
Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|Query details
Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|Query details
Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|Query details
Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|Query details
Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|Query details
Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|Query details
Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|Query details
Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Query details
Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Query details
Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Query details
Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|Query details
Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Query details
Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|Query details
Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|Query details
Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Query details
Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Query details
Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Query details
Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|Query details
Documentation
| +|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Query details
Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|Query details
Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|Query details
Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|Query details
Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Query details
Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|Query details
Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|Query details
Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|Query details
Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Query details
Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|Query details
Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|Query details
Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Query details
Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|Query details
Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|Query details
Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Query details
Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|Query details
Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|Query details
Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|Query details
Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|Query details
Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|Query details
Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Query details
Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|Query details
Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|Query details
Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|Query details
Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|Query details
Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|Query details
Documentation
| +|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|Query details
Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|Query details
Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|Query details
Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Query details
Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|Query details
Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Query details
Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|Query details
Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|Query details
Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|Query details
Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|Query details
Documentation
| +|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Query details
Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|Query details
Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Query details
Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|Query details
Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|Query details
Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|Query details
Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Query details
Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|Query details
Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|Query details
Documentation
| +|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Query details
Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|Query details
Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Query details
Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|Query details
Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Query details
Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Query details
Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|Query details
Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Query details
Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|Query details
Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|Query details
Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|Query details
Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|Query details
Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Query details
Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|Query details
Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Query details
Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|Query details
Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Query details
Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Query details
Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Query details
Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Query details
Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|Query details
Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|Query details
Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Query details
Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Query details
Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Query details
Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Query details
Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|Query details
Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Query details
Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Query details
Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|Query details
Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Query details
Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|Query details
Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Query details
Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|Query details
Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Query details
Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Query details
Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Query details
Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|Query details
Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|Query details
Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Query details
Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Query details
Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Query details
Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Query details
Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|Query details
Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|Query details
Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|Query details
Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Query details
Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Query details
Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Query details
Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Query details
Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|Query details
Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|Query details
Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|Query details
Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|Query details
Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|Query details
Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|Query details
Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Query details
Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|Query details
Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Query details
Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|Query details
Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|Query details
Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|Query details
Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|Query details
Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Query details
Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|Query details
Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Medium|Best Practices|Query details
Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|Query details
Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Query details
Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|Query details
Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|Query details
Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Query details
Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Query details
Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Query details
Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|Query details
Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|Query details
Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Query details
Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|Query details
Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|Query details
Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Query details
Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|Query details
Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|Query details
Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|Query details
Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Query details
Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|Query details
Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|Query details
Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|Query details
Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|Query details
Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Query details
Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Query details
Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|Query details
Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Query details
Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Query details
Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|Query details
Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Query details
Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|Query details
Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|Query details
Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Query details
Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|Query details
Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|Query details
Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|Query details
Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Query details
Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|Query details
Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|Query details
Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|Query details
Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Query details
Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|Query details
Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Query details
Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|Query details
Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Query details
Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Query details
Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|Query details
Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Query details
Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|Query details
Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|Query details
Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|Query details
Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Query details
Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|Query details
Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|Query details
Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|Query details
Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|Query details
Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Query details
Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|Query details
Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|Query details
Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|Query details
Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Query details
Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Query details
Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Query details
Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|Query details
Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|Query details
Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Query details
Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Query details
Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Query details
Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Query details
Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Query details
Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Query details
Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|Query details
Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|Query details
Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|Query details
Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Query details
Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|Query details
Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|Query details
Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|Query details
Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|Query details
Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|Query details
Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|Query details
Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Query details
Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|Query details
Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|Query details
Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Query details
Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|Query details
Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Query details
Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Query details
Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Query details
Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|Query details
Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|Query details
Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Query details
Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|Query details
Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|Query details
Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|Query details
Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Query details
Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Query details
Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|Query details
Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|Query details
Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|Query details
Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|Query details
Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Query details
Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Query details
Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Query details
Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Query details
Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|Query details
Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Query details
Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Query details
Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Query details
Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Query details
Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|Query details
Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Query details
Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|Query details
Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|Query details
Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|Query details
Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Query details
Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|Query details
Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|Query details
Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|Query details
Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|Query details
Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|Query details
Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Query details
Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|Query details
Documentation
| -### GCP_BOM -Bellow are listed queries related with Terraform GCP_BOM: +### GITHUB +Below are listed queries related to Terraform GITHUB: -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Query details
Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Query details
Documentation
| -### GITHUB -Bellow are listed queries related with Terraform GITHUB: +### NIFCLOUD +Below are listed queries related to Terraform NIFCLOUD: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Nifcloud LB Use Insecure TLS Policy ID
944439c7-b4b8-476a-8f83-14641ea876ba|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud LB Listener Use HTTP Port
9f751a80-31f0-43a3-926c-20772791a038|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud ELB Use HTTP Protocol
e2de2b80-2fc2-4502-a764-40930dfcc70a|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud ELB Listener Use HTTP Protocol
afcb0771-4f94-44ed-ad4a-9f73f11ce6e0|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud LB Use HTTP Port
94e47f3f-b90b-43a1-a36d-521580bae863|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud LB Use Insecure TLS Policy Name
675e8eaa-2754-42b7-bf33-bfa295d1601d|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud DNS Has Verified Record
a1defcb6-55e8-4511-8c2a-30b615b0e057|High|Insecure Configurations|Query details
Documentation
| +|Nifcloud Computing Has Public Ingress Security Group Rule
b2ea2367-8dc9-4231-a035-d0b28bfa3dde|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud NAS Has Public Ingress NAS Security Group Rule
8d7758a7-d9cd-499a-a83e-c9bdcbff728d|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Public DB Ingress Security Group Rule
a0b846e8-815f-4f15-b660-bc4ab9fa1e1a|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud Vpn Gateway Undefined Security Group To Vpn Gateway
b3535a48-910c-47f8-8b3b-14222f29ef80|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Public DB Access
fb387023-e4bb-42a8-9a70-6708aa7ff21b|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud Router Undefined Security Group To Router
e7dada38-af20-4899-8955-dabea84ab1f0|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud Computing Undefined Security Group To Instance
89218b48-75c9-4cb3-aaba-5299e852e8bc|High|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Backup Retention Less Than 2 Day
e5071f76-cbe7-468d-bb2b-d10f02d2b713|Medium|Backup|Query details
Documentation
| +|Nifcloud Computing Has Common Private Network
df58dd45-8009-43c2-90f7-c90eb9d53ed9|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud Computing Undefined Description To Security Group Rule
e4610872-0b1c-4fb7-ab57-d81c0afdb291|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud Router Has Common Private Network
30c2760c-740e-4672-9d7f-2c29e0cb385d|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Has Common Private Network
9bf57c23-fbab-4222-85f3-3f207a53c6a8|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud RDB Undefined Description To DB Security Group
940ddce2-26bd-4e31-a9b4-382714f73231|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud NAS Undefined Description To NAS Security Group
e840c54a-7a4c-405f-b8c1-c49a54b87d11|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud ELB Has Common Private Network
5061f84c-ab66-4660-90b9-680c9df346c0|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud NAS Has Common Private Network
4b801c38-ebb4-4c81-984b-1ba525d43adf|Low|Networking and Firewall|Query details
Documentation
| +|Nifcloud Computing Undefined Description To Security Group
41c127a9-3a85-4bc3-a333-ed374eb9c3e4|Low|Networking and Firewall|Query details
Documentation
| + +### SHARED (V2/V3) +Below are listed queries related to Terraform SHARED (V2/V3): -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|Query details
Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|Query details
Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|Query details
Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|Query details
Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|Query details
Documentation
| ### KUBERNETES -Bellow are listed queries related with Terraform KUBERNETES: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +Below are listed queries related to Terraform KUBERNETES: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Query details
Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Query details
Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Query details
Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Query details
Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Query details
Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|Query details
Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|Query details
Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|Query details
Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Query details
Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|Query details
Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Query details
Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Query details
Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Query details
Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Query details
Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Query details
Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|Query details
Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Query details
Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Query details
Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|Query details
Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Query details
Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Query details
Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Query details
Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Query details
Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Query details
Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Query details
Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Query details
Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Query details
Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|Query details
Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Query details
Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Query details
Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Query details
Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|Query details
Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Query details
Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Query details
Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Query details
Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Query details
Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|Query details
Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Query details
Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|Query details
Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Query details
Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Query details
Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Query details
Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|Query details
Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|Query details
Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|Query details
Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|Query details
Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Query details
Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Query details
Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Query details
Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|Query details
Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Query details
Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Query details
Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|Query details
Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Query details
Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Query details
Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Query details
Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Query details
Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Query details
Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Query details
Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Query details
Documentation
| -### AWS -Bellow are listed queries related with Terraform AWS: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| -|Amazon DMS Replication Instance Is Publicly Accessible
030d3b18-1821-45b4-9e08-50efbe7becbb|High|Access Control|Amazon DMS is publicly accessible, therefore exposing possible sensitive information. To prevent such a scenario, update the attribute 'PubliclyAccessible' to false. (read more)|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption' (read more)|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA certificate identifier must be one provided by Amazon RDS. (read more)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| -|Aurora With Disabled at Rest Encryption
1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e|High|Encryption|Amazon Aurora does not have encryption for data at rest enabled. To prevent such a scenario, update the attribute 'StorageEncrypted' to 'true'. (read more)|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| -|KMS Key With Full Permissions
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege. (read more)|Documentation
| -|RDS DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| -|Elasticsearch with HTTPS disabled
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e|High|Networking and Firewall|Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true. (read more)|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Medium|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +### GCP_BOM +Below are listed queries related to Terraform GCP_BOM: -### DATABRICKS -Bellow are listed queries related with Terraform DATABRICKS: +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|Query details
Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|Query details
Documentation
| -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|High|Insecure Configurations|Databricks Cluster and Job must have restricted permissions (read more)|Documentation
| -|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|High|Networking and Firewall|ACL allow ingress from 0.0.0.0/0 and/or ::/0 (read more)|Documentation
| -|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Medium|Best Practices|One or some Databricks Cluster Azure Attribute Best Practices are not respected (read more)|Documentation
| -|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Medium|Best Practices|One or some Databricks Cluster AWS Attribute Best Practices are not respected (read more)|Documentation
| -|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Medium|Best Practices|Job's Task Is spark_submit_task (read more)|Documentation
| -|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Medium|Best Practices|Spark Version is not a Long-term Support (read more)|Documentation
| -|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Medium|Best Practices|One or some Databricks Cluster GCP Attribute Best Practices are not respected (read more)|Documentation
| -|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Medium|Insecure Defaults|Token has an indefinitely lifetime (read more)|Documentation
| -|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Medium|Insecure Defaults|OBO Token has an indefinitely lifetime (read more)|Documentation
| -|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Medium|Resource Management|Databricks should have min and max worker setup for autoscale (read more)|Documentation
| -|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Low|Access Control|Databricks Group should have at least one user or one instance profile associated (read more)|Documentation
| +### GCP +Below are listed queries related to Terraform GCP: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Query details
Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Query details
Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|Query details
Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|Query details
Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Query details
Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Query details
Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|Query details
Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|Query details
Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Query details
Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Query details
Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Query details
Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Query details
Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Query details
Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Query details
Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Query details
Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Query details
Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Query details
Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Query details
Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Query details
Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Query details
Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Query details
Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Query details
Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Query details
Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Query details
Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Query details
Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Query details
Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Query details
Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|Query details
Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|Query details
Documentation
| +|Shielded GKE Nodes Disabled
579a0727-9c29-4d58-8195-fc5802a8bdb4|Medium|Insecure Configurations|Query details
Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Query details
Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|Query details
Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|Query details
Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Query details
Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Query details
Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Query details
Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Query details
Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Query details
Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Query details
Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Query details
Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Query details
Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Query details
Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Query details
Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Query details
Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|Query details
Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Query details
Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|Query details
Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|Query details
Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Query details
Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|Query details
Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Query details
Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Query details
Documentation
| -### AZURE -Bellow are listed queries related with Terraform AZURE: - - - -| Query |Severity|Category|Description|Help| -|------------------------------|--------|--------|-----------|----| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| +### DATABRICKS +Below are listed queries related to Terraform DATABRICKS: + + + +| Query |Severity|Category|More info| +|------------------------------|--------|--------|-----------| +|Databricks Cluster or Job With None Or Insecure Permission(s)
a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5|High|Insecure Configurations|Query details
Documentation
| +|Unrestricted Databricks ACL
2c4fe4a9-f44b-4c70-b09b-5b75cd251805|High|Networking and Firewall|Query details
Documentation
| +|Job's Task is Legacy (spark_submit_task)
375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7|Medium|Best Practices|Query details
Documentation
| +|Check Databricks Cluster AWS Attribute Best Practices
b0749c53-e3ff-4d09-bbe4-dca94e2e7a38|Medium|Best Practices|Query details
Documentation
| +|Check Databricks Cluster GCP Attribute Best Practices
539e4557-d2b5-4d57-a001-cb01140a4e2d|Medium|Best Practices|Query details
Documentation
| +|Check Databricks Cluster Azure Attribute Best Practices
38028698-e663-4ef7-aa92-773fef0ca86f|Medium|Best Practices|Query details
Documentation
| +|Check use no LTS Spark Version
5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6|Medium|Best Practices|Query details
Documentation
| +|Indefinitely Databricks OBO Token Lifetime
23e1f5f0-12b7-4d7e-9087-f60f42ccd514|Medium|Insecure Defaults|Query details
Documentation
| +|Indefinitely Databricks Token Lifetime
7d05ca25-91b4-42ee-b6f6-b06611a87ce8|Medium|Insecure Defaults|Query details
Documentation
| +|Databricks Autoscale Badly Setup
953c0cc6-5f30-44cb-a803-bf4ef2571be8|Medium|Resource Management|Query details
Documentation
| +|Databricks Group Without User Or Instance Profile
23c3067a-8cc9-480c-b645-7c1e0ad4bf60|Low|Access Control|Query details
Documentation
| diff --git a/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md b/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md index 8ca4eb4904f..a5888594b0a 100644 --- a/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md +++ b/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md @@ -237,3 +237,34 @@ resource "aws_iam_policy" "negative2policy" { } ``` +```tf title="Negative test num. 3 - tf file" +resource "aws_lambda_function" "negative3" { + function_name = "negative3" + role = "negative3_role" +} + +resource "aws_iam_policy" "negative3policy" { + name = "negative3policy" + path = "/" + description = "negative3 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:*", + ] + Effect = "Allow" + Resource = [ + aws_lambda_function.negative3.arn, + "${aws_lambda_function.negative3.arn}:*" + ] + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md b/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md index fd70bed4a14..c613b40ac03 100644 --- a/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md +++ b/docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md @@ -88,7 +88,7 @@ resource "aws_codebuild_project" "project-cloudrail-test" { source { type = "GITHUB" - location = "https://github.com/mitchellh/packer.git" + location = "https://github.com/foo/bar.git" git_clone_depth = 1 } } @@ -157,7 +157,7 @@ resource "aws_codebuild_project" "project-cloudrail-test2" { source { type = "GITHUB" - location = "https://github.com/mitchellh/packer.git" + location = "https://github.com/foo/bar.git" git_clone_depth = 1 } } diff --git a/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md b/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md index 44c5fc968e6..392b0e4c65c 100644 --- a/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md +++ b/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md @@ -24,7 +24,7 @@ hide: ### Description Security groups allow ingress from 0.0.0.0:0 and/or ::/0
-[Documentation](https://www.terraform.io/docs/providers/aws/r/security_group.html) +[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group.html) ### Code samples #### Code samples with security vulnerabilities diff --git a/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md index df9a95ffcc1..9dd35052973 100644 --- a/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md +++ b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md @@ -466,8 +466,8 @@ resource "aws_instance" "cowrie_server" { tags = { Name = "cowrie", - author = "konstruktoid" - vcs-url = "https://github.com/konstruktoid/ansible-cowrie-rootless" + author = "foo" + vcs-url = "https://github.com/foo/bar" purpose = "honeypot" } } diff --git a/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md b/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md index 1ea205b43fe..75bad403934 100644 --- a/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md +++ b/docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md @@ -24,7 +24,7 @@ hide: ### Description Amazon EKS control plane logging don't enabled for all log types
-[Documentation](https://www.terraform.io/docs/providers/aws/r/eks_cluster.html) +[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster.html) ### Code samples #### Code samples with security vulnerabilities diff --git a/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md b/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md index ff136cc853b..2d0fa00097a 100644 --- a/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md +++ b/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md @@ -23,7 +23,7 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_sse_disabled) ### Description -If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
+If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.
[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration) ### Code samples diff --git a/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md b/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md index 2d2c2b4753c..e6b191acfb5 100644 --- a/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md +++ b/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md @@ -18,7 +18,7 @@ hide: - **Query id:** 741f1291-47ac-4a85-a07b-3d32a9d6bd3e - **Query name:** DynamoDB Table Point In Time Recovery Disabled - **Platform:** Terraform -- **Severity:** Info +- **Severity:** Medium - **Category:** Best Practices - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled) diff --git a/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md b/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md index 80d2382f061..fb0ebc1ccb2 100644 --- a/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md +++ b/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md @@ -24,7 +24,7 @@ hide: ### Description Lambda Permission Principal should not contain a wildcard.
-[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html) +[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) ### Code samples #### Code samples with security vulnerabilities diff --git a/docs/queries/terraform-queries/nifcloud/e2de2b80-2fc2-4502-a764-40930dfcc70a.md b/docs/queries/terraform-queries/nifcloud/e2de2b80-2fc2-4502-a764-40930dfcc70a.md index a8a19f43314..d108175fa33 100644 --- a/docs/queries/terraform-queries/nifcloud/e2de2b80-2fc2-4502-a764-40930dfcc70a.md +++ b/docs/queries/terraform-queries/nifcloud/e2de2b80-2fc2-4502-a764-40930dfcc70a.md @@ -28,7 +28,7 @@ The elb use http protocol
### Code samples #### Code samples with security vulnerabilities -```tf title="Positive test num. 1 - tf file" +```tf title="Positive test num. 1 - tf file" hl_lines="1" resource "nifcloud_elb" "positive" { availability_zone = "east-11" instance_port = 80 diff --git a/docs/queries/terraform-queries/tencentcloud/1ee0f202-31da-49ba-bbce-04a989912e4b.md b/docs/queries/terraform-queries/tencentcloud/1ee0f202-31da-49ba-bbce-04a989912e4b.md new file mode 100644 index 00000000000..ef13989dd4c --- /dev/null +++ b/docs/queries/terraform-queries/tencentcloud/1ee0f202-31da-49ba-bbce-04a989912e4b.md @@ -0,0 +1,74 @@ +--- +title: Disk Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1ee0f202-31da-49ba-bbce-04a989912e4b +- **Query name:** Disk Encryption Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/tencentcloud/disk_encryption_disabled) + +### Description +Disks should have encryption enabled
+[Documentation](https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/cbs_storage#encrypt) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="1" +resource "tencentcloud_cbs_storage" "encrytion_positive1" { + storage_name = "cbs-test" + storage_type = "CLOUD_SSD" + storage_size = 100 + availability_zone = "ap-guangzhou-3" + + tags = { + test = "tf" + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="6" +resource "tencentcloud_cbs_storage" "encrytion_positive2" { + storage_name = "cbs-test" + storage_type = "CLOUD_SSD" + storage_size = 100 + availability_zone = "ap-guangzhou-3" + encrypt = false + + tags = { + test = "tf" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "tencentcloud_cbs_storage" "encrytion_negative1" { + storage_name = "cbs-test" + storage_type = "CLOUD_SSD" + storage_size = 100 + availability_zone = "ap-guangzhou-3" + encrypt = true + + tags = { + test = "tf" + } +} + +```