From f7e0937e0d2f0cd66d992e4dfa342908c5557598 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Aug 2022 09:56:48 +0000 Subject: [PATCH] docs(queries): update queries catalog --- docs/queries/all-queries.md | 19 ++++++++++--------- docs/queries/ansible-queries.md | 2 +- docs/queries/cloudformation-queries.md | 8 ++++---- docs/queries/terraform-queries.md | 9 +++++---- 4 files changed, 20 insertions(+), 18 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 62cb7f4e270..b4ea044aedb 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -340,7 +340,7 @@ This page contains all queries. |S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| |S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|Terraform|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| |CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| @@ -918,6 +918,7 @@ This page contains all queries. |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| |AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| |Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| |App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| |Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| @@ -928,9 +929,9 @@ This page contains all queries. |SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| |BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| |BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| |BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| |BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| |BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| @@ -946,7 +947,7 @@ This page contains all queries. |S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| |S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| |S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| |Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| @@ -1195,9 +1196,9 @@ This page contains all queries. |Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| |BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| |BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| |BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| |BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| |BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| @@ -1268,7 +1269,7 @@ This page contains all queries. |S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Ansible|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| |S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index cc086b0cd05..23d95042623 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -20,7 +20,7 @@ Bellow are listed queries related with Ansible AWS: |S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| |S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index e158fe21483..21c36bf92c0 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -18,7 +18,7 @@ Bellow are listed queries related with CloudFormation AWS: |S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| |S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| |S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| |Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| @@ -281,9 +281,9 @@ Bellow are listed queries related with CloudFormation AWS_BOM: |------------------------------|--------|--------|-----------|----| |BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| |BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| |BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| |BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| |BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index a2cd992472c..845d8480a79 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -24,7 +24,7 @@ Bellow are listed queries related with Terraform AWS: |S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| |S3 Bucket Allows All Actions From All Principals
51cf6f14-6a52-4642-97fb-10db078382d3|High|Access Control|S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| |EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| |Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| |CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879|High|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| @@ -644,6 +644,7 @@ Bellow are listed queries related with Terraform AZURE: |MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| |AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| |Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| |App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| |Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| @@ -661,9 +662,9 @@ Bellow are listed queries related with Terraform AWS_BOM: |------------------------------|--------|--------|-----------|----| |BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| |BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|BOM - SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| |BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| |BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| |BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
|