From e2ee4a9498bd1dbc0116b6854d82f111863f865b Mon Sep 17 00:00:00 2001 From: kicsbot <76819998+kicsbot@users.noreply.github.com> Date: Tue, 23 Aug 2022 12:56:42 +0300 Subject: [PATCH] docs(queries): update queries catalog (#5722) Co-authored-by: rafaela-soares --- docs/queries/all-queries.md | 193 ++++++++++++------ docs/queries/ansible-queries.md | 56 ++--- docs/queries/cloudformation-queries.md | 24 +-- .../googledeploymentmanager-queries.md | 4 +- docs/queries/terraform-queries.md | 109 +++++++--- 5 files changed, 250 insertions(+), 136 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index cab5b976bae..62cb7f4e270 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -330,7 +330,7 @@ This page contains all queries. |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| |SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| |SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| |S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| @@ -341,7 +341,7 @@ This page contains all queries. |S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|Terraform|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| |IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| |CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| |Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| @@ -366,7 +366,7 @@ This page contains all queries. |Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| |ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| |S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| |DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| |Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| |EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| @@ -377,11 +377,11 @@ This page contains all queries. |ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| |ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| |ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| |ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| @@ -413,7 +413,7 @@ This page contains all queries. |ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| |HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| |Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| @@ -429,33 +429,90 @@ This page contains all queries. |CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| |CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| |Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| |API Gateway Without Configured Authorizer
ed35928e-195c-4405-a252-98ccb664ab7C|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| |Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| |Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| |API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| |SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| |Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| @@ -518,7 +575,7 @@ This page contains all queries. |MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| |ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| |CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| |Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| |CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| @@ -530,13 +587,13 @@ This page contains all queries. |Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| |Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| |Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|RDS does not have any kind of logger|Documentation
| |API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| |CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| |CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| |GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| |Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| |S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| |MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| @@ -545,7 +602,8 @@ This page contains all queries. |S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| |CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| |EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| @@ -559,7 +617,6 @@ This page contains all queries. |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|CloudTrail Log Files Not Encrypted With CMK
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| |S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| @@ -567,7 +624,7 @@ This page contains all queries. |Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| |Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| |ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| @@ -579,14 +636,14 @@ This page contains all queries. |DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| |Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| |ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| |CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| |CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| |Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| @@ -607,7 +664,6 @@ This page contains all queries. |DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| |SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| |Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| @@ -635,24 +691,25 @@ This page contains all queries. |Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| |Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| |GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| |Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| |IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|VM instance should not enable serial ports|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| |RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| |Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| |Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Terraform|Medium|Secret Management|KMS Rotation Period should be greater than 365 days.|Documentation
| +|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Terraform|Medium|Secret Management|KMS rotation period should not surpass 365 days|Documentation
| |High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|Encryption keys should be changed after 90 days|Documentation
| |User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to true|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| |Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| |Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| |Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| @@ -781,7 +838,7 @@ This page contains all queries. |Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| |Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| @@ -797,7 +854,7 @@ This page contains all queries. |Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| |AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| |AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| |Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| |SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| @@ -806,7 +863,7 @@ This page contains all queries. |SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| |RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| |MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| |Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| |App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| @@ -816,23 +873,22 @@ This page contains all queries. |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| |AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| |SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Encryption|Redis Cache resources should not allow non-SSL connections.|Documentation
| |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID|Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| |Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| |Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| |Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| |Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| @@ -841,6 +897,7 @@ This page contains all queries. |Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| |MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| |WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| |Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| @@ -903,7 +960,7 @@ This page contains all queries. |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| |Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| |API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when compatible with engine and version|Documentation
| |SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| |ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| |S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| @@ -918,7 +975,7 @@ This page contains all queries. |ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| |User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
| |ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| |ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| @@ -949,17 +1006,17 @@ This page contains all queries. |ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| |HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group with Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| |Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| |Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|EC2 Instance Has Public IP
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| |Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| |RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| |Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| @@ -1010,8 +1067,8 @@ This page contains all queries. |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| |Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|SQS with SSE disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Should have EncryptionKey defined|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| |IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| |ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| |Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| @@ -1051,7 +1108,7 @@ This page contains all queries. |VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| |API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| |MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| |CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| |CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| |CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| @@ -1059,7 +1116,7 @@ This page contains all queries. |Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| |GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| |S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| |MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| |ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| @@ -1069,7 +1126,7 @@ This page contains all queries. |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| |CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| |Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| |DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| @@ -1101,7 +1158,7 @@ This page contains all queries. |IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With CMK
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| @@ -1116,7 +1173,7 @@ This page contains all queries. |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| |Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| |ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| @@ -1171,7 +1228,6 @@ This page contains all queries. |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| |SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| |Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| |GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| @@ -1190,10 +1246,11 @@ This page contains all queries. |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| |Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| |Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| |Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| |RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| @@ -1203,7 +1260,7 @@ This page contains all queries. |S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| |SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| |S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| @@ -1212,7 +1269,7 @@ This page contains all queries. |S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| |IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| |DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| @@ -1229,9 +1286,9 @@ This page contains all queries. |ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| |ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| |ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| |Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| @@ -1249,7 +1306,7 @@ This page contains all queries. |DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| |Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| |ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| |Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| @@ -1278,7 +1335,7 @@ This page contains all queries. |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| |Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| |IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| @@ -1287,7 +1344,7 @@ This page contains all queries. |EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| |AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| @@ -1296,20 +1353,21 @@ This page contains all queries. |Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| |API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| |CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| |CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| |CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| |API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| |S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|S3 bucket should have debug_botocore_endpoint_logs|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|S3 bucket should have 'debug_botocore_endpoint_logs' defined|Documentation
| |CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| @@ -1318,16 +1376,15 @@ This page contains all queries. |Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| |Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With CMK
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| |Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| |RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| |ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| |Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| |BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| @@ -1336,7 +1393,6 @@ This page contains all queries. |DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| |SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| |GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| @@ -1363,50 +1419,51 @@ This page contains all queries. |Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| |OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| |Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| |IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| |PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| |PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Resource Management|The node image should be Container-Optimized OS(COS)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Ansible|Medium|Secret Management|KMS rotation period should not surpass 365 days.|Documentation
| +|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Ansible|Medium|Secret Management|KMS rotation period should not surpass 365 days|Documentation
| |High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|Encryption keys should be changed after 90 days|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to yes|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| |Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| |MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| |Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| |SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| |VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| |Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| |AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| |Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| |Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| |SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| |Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Encryption|Redis Cache resources should not allow non-SSL connections.|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| |Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| |Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Ansible|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| |WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| |Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 06a7a39c016..cc086b0cd05 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -12,7 +12,7 @@ Bellow are listed queries related with Ansible AWS: |S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| |SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| |SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| |S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| @@ -21,7 +21,7 @@ Bellow are listed queries related with Ansible AWS: |S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| |IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| |DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| @@ -38,9 +38,9 @@ Bellow are listed queries related with Ansible AWS: |ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| |ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| |ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| |Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| @@ -58,7 +58,7 @@ Bellow are listed queries related with Ansible AWS: |DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| |Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| |ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| |Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| @@ -87,7 +87,7 @@ Bellow are listed queries related with Ansible AWS: |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy|Documentation
| |Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| |IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| @@ -96,7 +96,7 @@ Bellow are listed queries related with Ansible AWS: |EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| |AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| @@ -105,20 +105,21 @@ Bellow are listed queries related with Ansible AWS: |Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| |API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| |API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| |CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| |CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| |CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| |API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| |S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|S3 bucket should have debug_botocore_endpoint_logs|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|S3 bucket should have 'debug_botocore_endpoint_logs' defined|Documentation
| |CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated|Documentation
| @@ -127,16 +128,15 @@ Bellow are listed queries related with Ansible AWS: |Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| |Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With CMK
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| |Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| |RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| |ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| |Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| ### GCP Bellow are listed queries related with Ansible GCP: @@ -152,7 +152,6 @@ Bellow are listed queries related with Ansible GCP: |DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| |SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| |GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| @@ -179,22 +178,23 @@ Bellow are listed queries related with Ansible GCP: |Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| |OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| |Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| |IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| |PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| |PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Resource Management|The node image should be Container-Optimized OS(COS)|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Medium|Secret Management|KMS rotation period should not surpass 365 days.|Documentation
| +|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Medium|Secret Management|KMS rotation period should not surpass 365 days|Documentation
| |High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|Encryption keys should be changed after 90 days|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to yes|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| ### AZURE Bellow are listed queries related with Ansible AZURE: @@ -204,32 +204,32 @@ Bellow are listed queries related with Ansible AZURE: |------------------------------|--------|--------|-----------|----| |Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| |Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| |MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| |Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| |SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| |VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| |Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| |AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| |Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| |Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| |SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| |Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Encryption|Redis Cache resources should not allow non-SSL connections.|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| |Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| |Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| |WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| |Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index 2bd1afc30a8..e158fe21483 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -32,7 +32,7 @@ Bellow are listed queries related with CloudFormation AWS: |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| |Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| |API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when compatible with engine and version|Documentation
| |SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| |ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| |S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| @@ -47,7 +47,7 @@ Bellow are listed queries related with CloudFormation AWS: |ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| |User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| |ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| |ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| @@ -78,17 +78,17 @@ Bellow are listed queries related with CloudFormation AWS: |ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| |HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group with Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| |Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| |Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|EC2 Instance Has Public IP
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| |Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| |RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| |CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| |Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| @@ -139,8 +139,8 @@ Bellow are listed queries related with CloudFormation AWS: |KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| |Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|SQS with SSE disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Should have EncryptionKey defined|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| |IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| |ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| |Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| @@ -180,7 +180,7 @@ Bellow are listed queries related with CloudFormation AWS: |VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| |API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| |MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'DistributionConfig.Logging' must be defined|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| |CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| |CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| |CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| @@ -188,7 +188,7 @@ Bellow are listed queries related with CloudFormation AWS: |Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| |GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| |S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| |MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| |ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| @@ -198,7 +198,7 @@ Bellow are listed queries related with CloudFormation AWS: |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| |CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| |Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| |DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| @@ -230,7 +230,7 @@ Bellow are listed queries related with CloudFormation AWS: |IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With CMK
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| |API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| @@ -245,7 +245,7 @@ Bellow are listed queries related with CloudFormation AWS: |EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| |Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| |ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 95f0a59ad2e..8357c04618f 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -9,7 +9,6 @@ This page contains all queries from GoogleDeploymentManager. |SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| |DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| |SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| |Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| |GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| @@ -28,10 +27,11 @@ This page contains all queries from GoogleDeploymentManager. |Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| |Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| |Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| |Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| |RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 4622976e3ec..a2cd992472c 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -14,7 +14,7 @@ Bellow are listed queries related with Terraform AWS: |S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| |SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| |SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| |S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| |S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| @@ -25,7 +25,7 @@ Bellow are listed queries related with Terraform AWS: |S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| |IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| |CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| |Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| @@ -50,7 +50,7 @@ Bellow are listed queries related with Terraform AWS: |Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| |ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| |S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| |DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| |Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| |EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| @@ -61,11 +61,11 @@ Bellow are listed queries related with Terraform AWS: |ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded|Documentation
| |ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| |EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| |RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| |ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| |ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| @@ -97,7 +97,7 @@ Bellow are listed queries related with Terraform AWS: |ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| |HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| |Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| |Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| @@ -113,33 +113,90 @@ Bellow are listed queries related with Terraform AWS: |CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| |CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| |Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| |API Gateway Without Configured Authorizer
ed35928e-195c-4405-a252-98ccb664ab7C|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| |Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| |Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| |API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| |SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| |Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| |CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| @@ -202,7 +259,7 @@ Bellow are listed queries related with Terraform AWS: |MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| |ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| |CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| |Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| |CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| @@ -214,13 +271,13 @@ Bellow are listed queries related with Terraform AWS: |Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| |Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| |Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|RDS does not have any kind of logger|Documentation
| |API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| |CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| |CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| |GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| |Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| |S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| |MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| @@ -229,7 +286,8 @@ Bellow are listed queries related with Terraform AWS: |S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| |CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| |S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| |EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| @@ -243,7 +301,6 @@ Bellow are listed queries related with Terraform AWS: |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| |ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|CloudTrail Log Files Not Encrypted With CMK
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| |ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| |S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| @@ -251,7 +308,7 @@ Bellow are listed queries related with Terraform AWS: |Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| |Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| |RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| |ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| |EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| @@ -263,14 +320,14 @@ Bellow are listed queries related with Terraform AWS: |DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| |Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| |VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| |ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| |CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| |CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| |Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared|Documentation
| |Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| |EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| @@ -305,7 +362,6 @@ Bellow are listed queries related with Terraform GCP: |DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| |SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| |KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|High|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| |Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| @@ -333,24 +389,25 @@ Bellow are listed queries related with Terraform GCP: |Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| |Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| |Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Insecure Configurations|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| |OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| |GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| |Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| |IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|VM instance should not enable serial ports|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| |RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| |Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| |Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| |Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Medium|Secret Management|KMS Rotation Period should be greater than 365 days.|Documentation
| +|High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Medium|Secret Management|KMS rotation period should not surpass 365 days|Documentation
| |High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|Encryption keys should be changed after 90 days|Documentation
| |User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| |Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have 'private_ip_google_access' set to true|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| ### SHARED (V2/V3) Bellow are listed queries related with Terraform SHARED (V2/V3): @@ -507,7 +564,7 @@ Bellow are listed queries related with Terraform AZURE: |Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| |Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| |Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| @@ -523,7 +580,7 @@ Bellow are listed queries related with Terraform AZURE: |Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| |AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| |AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| |Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| |SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| @@ -532,7 +589,7 @@ Bellow are listed queries related with Terraform AZURE: |SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| |RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| |MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| |Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| |Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| |App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| @@ -542,23 +599,22 @@ Bellow are listed queries related with Terraform AZURE: |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| |Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| |AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| |SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Encryption|Redis Cache resources should not allow non-SSL connections.|Documentation
| |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID|Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| |Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| |Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| |Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| |Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| |Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| |Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| |Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| @@ -567,6 +623,7 @@ Bellow are listed queries related with Terraform AZURE: |Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| |MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| |WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| |Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
|