Prisma Cloud IaC Scan

Scan CloudFormation, Terraform, Kubernetes deployment YAML files for security issues.

Kubernetes app YAML policies

Severity Policy Rule ID Resource Type
high all capabilities should be dropped $.spec.template.spec.containers[*].securityContext.capabilities.drop exists and !contains all 4682a6f1-2a1b-4f5a-938c-cdd3fa421a63 k8s
high avoid running privileged containers $.spec.template.spec.containers[*].securityContext.privileged is true 92714c07-d12b-4635-ae6a-514c5c428c5a k8s
high containers must be run as non-root $.spec.template.spec.containers[*].securityContext.runAsNonRoot exists and is false 2e22737c-a5b8-4808-8a8b-d99fc7e99505 k8s
high do not run containers as root $.spec.template.spec.securityContext.runAsUser < 1 314eba46-a376-43f6-9a0a-8517818301f1 k8s
high do not share host network with containers $.spec.template.spec.hostNetwork is true 99544e17-fc8f-4c77-963e-083ab80c53b0 k8s
low do not allow volume claims to be read by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadOnlyMany 802f2ed9-0b0d-4627-bf1a-7cb0ccfdd71c k8s
medium do not allow sharing host IPC namespace $.spec.template.spec.hostIPC is true 344fb01c-7195-3e9f-47e1-c640733af43f k8s
medium do not allow sharing host PID namespace $.spec.template.spec.hostPID is true 4c5d00c1-8f60-40bc-9566-a5b4e019752a k8s
medium do not allow volume claims to be read-write by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadWriteMany f9bcb4b8-3f22-448a-8521-9e09e3a994e0 k8s
medium do not run containers with dangerous capabilities $.spec.template.spec.containers[*].securityContext.capabilities exists and $.spec.template.spec.containers[*].securityContext.capabilities.add[*] is member of (FSETID, SETUID, SETGID,SYS_CHROOT,SYS_PTRACE,CHOWN,NET_RAW,NET_ADMIN,SYS_ADMIN,NET_BIND_SERVICE) 135420a6-3206-4c29-b944-846f65cea43e k8s
medium ensure containers are immutable $.spec.template.spec.containers[*].securityContext.readOnlyRootFilesystem exists and is false c448b01c-7f95-4e9f-97e1-c640733af44f k8s
medium entrypoint of the container must be run with a user with a high ID $.spec.template.spec.containers[*].securityContext.runAsUser < 9999 6e06b1a6-7eea-4730-91c2-9ac3fb676dce k8s

Terraform policies

Severity Policy Rule ID Resource Type
high Azure AKS enable role-based access control (RBAC) not enforced $.resource.*.azurerm_kubernetes_cluster[*].*[*].role_based_access_control anyNull or $.resource.*.azurerm_kubernetes_cluster[*].*[*].role_based_access_control[*].enabled anyFalse 996f840b-49bf-4340-a117-803e96aa84d0 AKS
medium AWS VPC NACL allow egress traffic from blocked ports $.resource[*].aws_network_acl exists and $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow de727ef6-60b0-46b9-a056-29830952c986 AWS NACL egress rules
low AWS S3 CloudTrail buckets for which access logging is disabled $.resource[*].aws_cloudtrail[*].*[*].enable_logging anyFalse 82578260-f754-4e0e-ba6b-a06b9e36ad5b AWS S3 cloudtrail logging
medium AWS VPC NACL allows traffic from blocked ports $.resource[*].aws_network_acl exists and $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow 1cc0ec13-4079-4e27-b597-9edf83a1cd93 AWS VPC NACL allow traffic
medium AWS security group allows traffic from blocked ports $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 9731fe16-636f-477a-b083-6d90c66d2c0b AWS security group ingress ports
high AWS CloudTrail bucket is publicly accessible $.resource[*].aws_cloudtrail exists and $.resource[*].aws_cloudtrail[*].*[*].s3_bucket_name equals $.resource[*].aws_s3_bucket_public_access_block[*].*[*].bucket and ($.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_acls isFalse or $.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_policy isFalse) fc24c16c-f3cc-43b0-aa0e-ba32f5e234d3 AWS_cloudtrail_s3_bucket
medium Azure App Service Web app authentication is off $.resource.*.azurerm_app_service[*].*[*].auth_settings[*].enabled anyFalse or $.resource.*.azurerm_app_service[*].*[*].auth_settings anyNull d8d4a039-2b04-48c9-80fc-70341eba5c34 App Service
medium Azure App Service Web app doesn't have a Managed Service Identity $.resource.*.azurerm_app_service[*].*[*].identity anyNull d18a4314-cb4d-40f7-b21b-47287690771f App Service
high Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 ($.resource[*].azurerm_network_security_rule exists and ($.resource[*].azurerm_network_security_rule.*[*].*.access contains Allow and $.resource[*].azurerm_network_security_rule.*[*].*.destination_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.source_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.destination_port_range contains 22 and $.resource[*].azurerm_network_security_rule.*[*].*.direction contains Inbound)) 1eb0cd02-789a-4b96-8463-fb5583e40585 Azure Network Security Group
medium Azure Network Security Group (NSG) allows traffic from internet on port 3389 $.resource.*.azurerm_network_security_rule[*].*[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_ranges contains 3389 or $.resource.*.azurerm_network_security_rule[*].*[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_range equals 3389 8f9c12f8-1373-4c93-9da1-cccd7f3a33c9 Azure Network Security Group
medium Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 days $.resource.*.azurerm_network_security_group size greater than 0 and ($.resource.*.azurerm_network_watcher_flow_log size equals 0 or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].enabled anyNull or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].enabled anyFalse or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].retention_policy[*].enabled anyFalse or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].retention_policy[?( @.days<90 )] size greater than 0) 25f2b8ba-1044-470b-95dc-1d096e7b21c2 Azure Network Security Group
medium Azure SQL Server advanced data security is disabled $.resource.*.azurerm_sql_server size greater than 0 and ($.resource.*.azurerm_mssql_server_security_alert_policy size == 0 or $.resource.*.azurerm_mssql_server_security_alert_policy[*].*[*].state anyEqual "Disabled" or $.resource.*.azurerm_mssql_server_security_alert_policy[*].*[*].retention_days anyNull ) 049cb412-96a9-4c93-8561-35857eaf3d78 Azure SQL Server
medium Azure Storage Account 'Trusted Microsoft Services' access not enabled $.resource.*.azurerm_storage_account size greater than 0 and ($.resource.*.azurerm_storage_account[*].*[*].network_rules anyNull or $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].bypass anyNull or not ( $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].bypass allEqual "AzureServices" )) 3b26ab70-6d7e-4f8f-808f-d41d3709f02f Azure Storage Account
low AWS ECS/ Fargate task definition root user found $.resource[*].aws_ecs_task_definition[*].*[*].container_definitions[?(@.user=='root')] exists d7cf6d0e-e515-4d0f-b93d-c88932c60172 ECS task definition
medium SQL Instances with network authorization exposing them to the Internet $.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual 0.0.0.0/0 or $.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual ::/0 32865329-308b-4a18-bcf5-fe71423d8770 GCP SQL DB Instance
medium GCP VM instances have IP forwarding enabled $.resource[*].google_compute_instance_template[*].*.[*].can_ip_forward anyTrue c52cef1e-cb56-43dc-8708-fbff0e64b59a GCP VM instances
low GCP Kubernetes Engine Clusters have pod security policy disabled $.resource[*].google_container_cluster.*[*].*.pod_security_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.pod_security_policy_config.enabled anyFalse b24c52e5-948c-4335-b8e0-c44b86b69538 GCP k8s pod_security
medium GCP Kubernetes Engine Clusters using the default network $.resource[*].google_project[*].*[*].auto_create_network anyTrue or $.resource[*].google_project[*].*[*].auto_create_network anyNull 2d372220-3125-48ec-915b-30f0fc5220fb Google Project
medium SQL Instances do not have SSL configured $.resource[*].google_sql_database_instance exists and $.resource[*].google_sql_ssl_cert !exists 06362923-51f1-4cc7-95bf-86ecf96b63e8 Google SQL instances
low GCP IAM user have overly permissive Cloud KMS roles $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/cloudkms.admin')].member startsWith "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/cloudkms.admin')].members any start with "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" 54839df2-74d6-4642-a12f-807638f89842 IAM
low GCP IAM user with service account privileges $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" 9f562f72-2bd6-445b-8d51-ed1212056417 IAM
medium GCP IAM Service account has admin privileges $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" acf7e81a-e901-4475-9cdb-d730a1c658bf IAM
medium AWS security group allow egress traffic from blocked ports - 21,22,135,137-139,445,69 $.resource[*].aws_security_group exists and $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 2b47072f-0d2b-45a5-aa2d-1db80974176e Security Group egress traffic
high AWS Security Groups allow internet traffic to SSH port (22) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].ipv6_cidr_blocks[*] contains ::/0) c2bcdbe7-7c2c-48bc-a0f7-37e1b9766385 Security Group ingress rule
medium AWS RDS event subscription disabled for DB security groups $.resource[*].aws_db_instance exists and ( $.resource[*].aws_db_event_subscription !exists or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')] anyNull or not $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyNull or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyTrue ) b81ceb53-e21a-4456-a35b-ece94323637b aws_db_event_subscription
medium Azure App Service Web app doesn't redirect HTTP to HTTPS $.resource[*].azurerm_app_service.*.*.* size > 0 and ($.resource[*].azurerm_app_service[*].*.*.https_only anyNull or $.resource[*].azurerm_app_service[*].*.*.https_only anyFalse) 3555e091-5af1-4ad2-b77e-5b1867d2d496 azurerm_app_service
medium Azure App Service Web app doesn't use HTTP 2.0 $.resource[*].azurerm_app_service.*.*.* size > 0 and ($.resource[*].azurerm_app_service[*].*.*.http2_enabled anyNull or $.resource[*].azurerm_app_service[*].*.*.http2_enabled anyFalse) 514a40c7-a7c4-49d4-a001-b949459ba8c9 azurerm_app_service
medium AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs) $.resource[*].aws_cloudtrail exists and ($.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyNull or $.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyEmpty) 07a06f60-1532-4e2e-b91c-8f972a96f1a9 cloudtrail
medium AWS ECS/ Fargate task definition execution IAM Role not found $.resource[*].aws_ecs_task_definition exists and $.resource[*].aws_ecs_task_definition[*].*[*].container_definitions exists and ($.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyNull or $.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyEmpty) a76c8132-7cc3-40b1-a417-d3a41fc44f89 ecs
high AWS EKS unsupported Master node version $.resource[*].aws_eks_cluster[*].*[*].version anyStartWith 1.9. 60440266-3d03-41ce-ba8c-d51ccbdb6804 eks
medium AWS ElasticSearch cluster not in a VPC $.resource[*].aws_elasticsearch_domain exists and $.resource[*].aws_elasticsearch_domain[*].*[*].vpc_options does not exist 28ee2708-305a-4b23-acf0-535ab45b96ab elasticsearch
medium GCP VPC Network subnets have Private Google access disabled $.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyNull or $.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyFalse 1af7b784-5c6c-43c0-a736-dc5e47cc235a google compute subnetwork
medium GCP Projects have OS Login disabled $.resource[*].google_compute_project_metadata_item.[*].[*].[*].key exists and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].key == enable-oslogin and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].value exists and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].value == FALSE 6cb4c384-15fc-4b06-8a45-0542144ad8d9 google_compute_project
medium GCP Storage buckets are publicly accessible to all authenticated users $.resource[*].google_storage_bucket_access_control[*].*[*].entity contains allUsers 0716cf97-9f82-46ae-8b35-09f2ee41d136 google_storage_bucket_access_control
medium AWS IAM password policy does not expire in 90 days $.resource[*].aws_iam_account_password_policy[*].*[?( @.max_password_age>90 )] is not empty cb4e7ef6-b4b4-45a5-9ae5-194d3a0e12e9 iam_account_password
medium AWS IAM password policy does not have a lowercase character $.resource[*].aws_iam_account_password_policy[*].*[*].require_lowercase_characters anyFalse 77c2d5a8-071f-48b9-9de0-5917e9b4548d iam_account_password
medium AWS IAM password policy does not have a minimum of 14 characters $.resource[*].aws_iam_account_password_policy[*].*[?( @.minimum_password_length<14 )] is not empty 7228106b-f82f-4d2e-a1a0-73fd15f70637 iam_account_password
medium AWS IAM password policy does not have a number $.resource[*].aws_iam_account_password_policy[*].*[*].require_numbers anyFalse 41fdae49-6fc7-4bc9-80e4-2cbb2262ab7a iam_account_password
medium AWS IAM password policy does not have a symbol $.resource[*].aws_iam_account_password_policy[*].*[*].require_symbols anyFalse f8013bbf-21b8-4e81-b6ef-7b568407129c iam_account_password
medium AWS IAM password policy does not have a uppercase character $.resource[*].aws_iam_account_password_policy[*].*[*].require_uppercase_characters anyFalse d6dadfcf-a98c-4917-97b5-a5df6a9c493d iam_account_password
medium AWS IAM password policy allows password reuse $.resource[*].aws_iam_account_password_policy[*].*[*].password_reuse_prevention == 0 c6921472-260e-460a-aa55-77e69e2ee0ba iam_account_password_policy
low AWS IAM policy attached to users $.resource[*].aws_iam_policy_attachment[*].*[*].users exists and $.resource[*].aws_iam_policy_attachment[*].*[*].users[*] is not empty 1903f355-b68f-4d9c-84dd-c46abe4f8673 iam_policy_attachment
medium GCP Kubernetes Engine Cluster Nodes have default Service account for Project access $.resource[*].google_container_cluster[*].*[*].node_config anyNull or $.resource[*].google_container_cluster[*].*[*].node_config[*].service_account anyNull f125951d-f5c0-4ca6-aab2-d443485e04a1 k8s container cluster service account
medium AWS Customer Master Key (CMK) rotation is not enabled $.resource[*].aws_kms_key exists and ( $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyFalse or $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyNull) 497f7e2c-b702-47c7-9a07-f0f6404ac896 kms
low GCP Kubernetes Engine Clusters Client Certificate is set to Disabled $.resource[*].google_container_cluster[*].*.*.master_auth[*].client_certificate_config[*].issue_client_certificate anyTrue d07dbdce-2cd8-4b0c-b97e-ceb4d7e98952 kubernetes engine
low GCP Kubernetes Engine Clusters have Alias IP disabled $.resource[*].google_container_cluster exists and $.resource[*].google_container_cluster[*].*.*.ip_allocation_policy does not exist 33104909-45f5-4533-8b71-d54716dc7184 kubernetes engine
low GCP Kubernetes Engine Clusters have HTTP load balancing disabled $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.addons_config[*].http_load_balancing[*].disabled anyTrue) afb8ee15-96a4-4f32-83a5-c5f60c49de75 kubernetes engine
low GCP Kubernetes Engine Clusters not configured with private cluster $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.private_cluster_config anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyFalse) 33a04b8d-970b-43c3-b584-c704695178ed kubernetes engine
low GCP Kubernetes Engine Clusters not using Container-Optimized OS for Node image $.resource[*].google_container_node_pool exists and ($.resource[*].google_container_node_pool.*[*].*.node_config anyNull or $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type anyNull or not $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type allStartWith cos ) b80d079e-9db6-440e-a35a-64e53e47e6fc kubernetes engine
medium GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled $.resource.*.google_container_cluster.*.*.*.master_auth exists and not ($.resource.*.google_container_cluster.*.*.*.master_auth.*.password is empty and $.resource.*.google_container_cluster.*.*.*.master_auth.*.username is empty) b6b3b461-767c-43f5-b608-b84e8c40fa88 kubernetes engine
medium GCP Kubernetes Engine Clusters have Legacy Authorization enabled $.resource[*].google_container_cluster.*.*[*].enable_legacy_abac anyTrue 3a8dde2f-ee02-4d51-bcd1-b119c0207226 kubernetes engine
medium GCP Kubernetes Engine Clusters have Master authorized networks disabled $.resource[*].google_container_cluster[*].*.*.master_authorized_networks_config anyNull 48ed0930-8a52-4426-b196-d0a3969bde11 kubernetes engine
medium GCP Kubernetes Engine Clusters have Network policy disableds $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.network_policy anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyTrue) ca78ea0f-83ec-4401-9c33-300215ebe7b3 kubernetes engine
medium GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled $.resource[*].google_container_cluster exists and $.resource[*].google_container_cluster.*[*].*.addons_config[*].kubernetes_dashboard[*].disabled anyFalse 243d8c63-97cf-434a-b75e-2a84c57fdc37 kubernetes engine
medium GCP Kubernetes cluster Application-layer Secrets not encrypteds $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster[*].*[*].database_encryption anyNull or $.resource[*].google_container_cluster[*].*[*].database_encryption[*].state any equal DECRYPTED) 7ece6176-027f-4cf7-885e-555d11786c27 kubernetes engine
medium GCP Kubernetes cluster istioConfig not enabled $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.addons_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*] anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyTrue) 6afc115a-d9f9-45e8-9716-6a4204621074 kubernetes engine
high AWS RDS snapshots are accessible to public $.resource[*].aws_db_instance exists and ($.resource[*].aws_db_instance[*].*[*].publicly_accessible !exists or $.resource[*].aws_db_instance[*].*[*].publicly_accessible anyTrue) 054e0760-d0e2-454a-8898-015e9e9fbc1a rds
medium AWS Redshift does not have require_ssl configured $.resource[*].aws_redshift_parameter_group exists and ($.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl')] !exists or $.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl' && @.value=='false' )] exists) 2ff03f80-c9f6-4a37-b8b1-1212965e352d redshift
high AWS S3 buckets are accessible to public $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read-write or $.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read) ded75b65-7ef6-4239-a08f-d4d9a4eb218b s3
medium AWS S3 CloudTrail buckets for which access logging is disabled $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket[*].*[*].logging anyNull) 41215510-c504-4752-ab38-0a36e49d55f8 s3
medium AWS S3 Object Versioning is disabled $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled does not exist or $.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled anyFalse) 1914c65c-2406-4261-88cd-fbeb684a15dc s3
high AWS Default Security Group does not restrict all traffic $.resource[*].aws_default_security_group exists and ($.resource[*].aws_default_security_group[*].*[*].ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].ingress[*].ipv6_cidr_blocks[*] contains ::/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].ipv6_cidr_blocks[*] contains ::/0) c8f6a525-e4ba-4499-b015-15153c797143 security group
high AWS Security Groups allow internet traffic from internet to RDP port (3389) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388)].ipv6_cidr_blocks[*] contains ::/0) 1796efe6-802d-4768-8c17-7491c560b686 security group
high AWS Security Groups allow internet traffic to SSH port (22) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].ipv6_cidr_blocks[*] contains ::/0) 9745cb18-32f9-4411-a59c-fae4ffa362ce security group
high AWS Security Groups with Inbound rule overly permissive to All Traffic ($.resource[*].aws_security_group exists and ($.resource[*].aws_security_group.*[*].*.ingress[*].protocol equals -1 and ($.resource[*].aws_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0))) or ($.resource[*].aws_security_group_rule exists and ($.resource[*].aws_security_group_rule.*[*].*.protocol equals -1 and $.resource[*].aws_security_group_rule.*[*].*.type equals ingress and ($.resource[*].aws_security_group_rule.*[*].*.cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group_rule.*[*].*.ipv6_cidr_blocks[*] contains ::/0))) eba4d571-4338-4f62-8110-9be6c4b47fd0 security group
medium GCP User managed service accounts have user managed service account keys $.resource[*].google_service_account_key[*].*[*].service_account_id contains google_service_account or $.resource[*].google_service_account_key[*].*[*].service_account_id any end with iam.gserviceaccount.com 0173b3d8-91b5-4a10-8105-e92b1f3b5914 service account key
low GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK) $.resource[*].google_compute_disk exists and $.resource[*].google_compute_disk.*.[*].*.disk_encrypt_key does not exist 3289c0b3-0298-4653-ac41-05c43478b1b0 storage
medium GCP Storage log buckets have object versioning disabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.versioning anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyFalse) 53a9b6e1-dd93-4110-b443-4658c13134b4 storage
medium Storage Accounts without Secure transfer enabled $.resource[*].azurerm_storage_account exists and ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyNull or $.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyFalse) 80f6dc01-4aaa-4712-a7bf-70e103fea4a3 storage
medium Storage Bucket does not have Access and Storage Logging enabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.logging anyNull or $.resource[*].google_storage_bucket.*[*].*.logging[*].log_bucket anyEmpty) 22df2129-f6bf-4a10-9118-42b8d5d922a9 storage
medium AWS VPC allows unauthorized peering $.resource[*].aws_vpc_peering_connection[*].*[*].peer_vpc_id does not equal $.resource[*].aws_vpc_peering_connection[*].*[*].vpc_id 59356130-d856-470d-a08e-b2a0ba2a4ac7 vpc

CloudFormation policies

Severity Policy Rule ID Resource Type
medium AWS Customer Master Key (CMK) rotation is not enabled $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation any null or $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation anyFalse 6ae8d0a5-4794-438c-aafa-200f94b45f1f AWS Customer Master Key (CMK)
medium AWS CloudTrail is not enabled in all regions $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any null or $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail anyFalse c1ad39ed-5341-43cb-8266-4d93a2033d75 AWS cloudtrail
medium AWS security group allows traffic from blocked ports $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '22' && @.ToPort == '22' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '22' && @.ToPort == '22' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '21' && @.ToPort == '21' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '21' && @.ToPort == '21' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5800' && @.ToPort == '5800' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5800' && @.ToPort == '5800' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5900' && @.ToPort == '5900' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5900' && @.ToPort == '5900' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '2323' && @.ToPort == '2323' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '2323' && @.ToPort == '2323' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '23' && @.ToPort == '23' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '23' && @.ToPort == '23' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '25' && @.ToPort == '25' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '25' && @.ToPort == '25' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '110' && @.ToPort == '110' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '110' && @.ToPort == '110' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '143' && @.ToPort == '143' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '143' && @.ToPort == '143' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == '-1' && @.FromPort == '53' && @.ToPort == '53' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '53' && @.ToPort == '53' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'udp' && @.FromPort == '135' && @.ToPort == '135' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '135' && @.ToPort == '135' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == '-1' && @.FromPort == '137' && @.ToPort == '137' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '137' && @.ToPort == '137' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'udp' && @.FromPort == '69' && @.ToPort == '69' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '69' && @.ToPort == '69' && @.CidrIp6 == '::/0')] size greater than 0 b95c4df5-7881-4dda-85ea-fb8c83600d03 AWS security group ingress ports
medium AWS IAM policy attached to users $.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users exists and $.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users[*] is not empty c441b20b-5daf-4862-b383-798b61c72819 AWS_IAM_policy
medium AWS CloudTrail logs are not encrypted using Customer Master Keys $.Resources.*[?(@.Type == 'AWS::CloudTrail::Trail')] size > 0 and ($.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyNull or $.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyEmpty ) 7d618dd9-e061-4e14-bc7b-812c0394bbef cloudtrail
medium AWS VPC subnets should not allow automatic public IP assignment $.Resources.*[?(@.Type == 'AWS::EC2::Subnet')].Properties.MapPublicIpOnLaunch anyTrue 11743cd3-35e4-4639-91e1-bc87b52d4cf5 ec2
high AWS ECS task definition elevated privileges enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Privileged any equal true 38026e84-451b-4290-a008-562eeb36212a ecs
low AWS ECS task definition readonlyRootFilesystem not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any equal false 0f4959be-5d2d-41cf-aa45-08bb4c13121f ecs
medium AWS ECS task definition logging not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration.LogDriver any null 404b49c0-ad7e-41a7-94ae-587901872524 ecs
medium AWS ECS task definition resource limits not set $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any equal 0 or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any null and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any null) or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any equal 0 and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any equal 0) 44a82298-64d1-4b4b-a9ad-eeda02448975 ecs
medium AWS ElasticSearch cluster not in a VPC $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions any null or ($.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists and $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions.SubnetIds any null) 3b745764-1d47-4adf-a023-18b95dcd713e elasticsearch
high AWS RDS instance is not encrypted $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any equal false 34fa9efb-d18f-41e4-b93f-2f7e5378752c rds
high AWS RDS snapshots are accessible to public $.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')] exists and $.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')].Properties.PubliclyAccessible anyTrue d68f9185-422e-42d3-b673-b1aef528012c rds
low AWS RDS instance with copy tags to snapshots disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any equal false 8a910436-344a-4bd9-9359-239a3ca13b99 rds
low AWS RDS instance without Automatic Backup setting $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.BackupRetentionPeriod any equal 0 f81d0239-3633-4828-a499-d2d1b1219a5c rds
medium AWS RDS instance with Multi-Availability Zone disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.MultiAZ any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.MultiAZ any false f606fe0b-2950-42ce-a3b2-7f100ece5c3a rds
high AWS Redshift instances are not encrypted $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted any null or $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted anyFalse 0132bbb2-c733-4c36-9c5d-c58967c7d1a6 redshift
medium AWS Redshift clusters should not be publicly accessible $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.PubliclyAccessible any true d65fd313-1c5c-42a1-98b2-a73bdeda19a6 redshift
medium AWS Redshift database does not have audit logging enabled $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.LoggingProperties any null 91c941aa-d110-4b33-9934-aadd86b1a4d9 redshift
high AWS S3 buckets are accessible to public ($.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicRead or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicReadWrite) bbb01285-7fc6-4649-85c0-6ab9f08bde4f s3
low AWS S3 buckets do not have server side encryption $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption any null or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm any null ff6a3231-bb09-4fba-82ea-46ee3228a9f2 s3
medium AWS Access logging not enabled on S3 buckets $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.LoggingConfiguration any null 4daa435b-fa46-457a-9359-6a4b4a43a442 s3
medium AWS S3 Object Versioning is disabled $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration does not exist or ($.Resources[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration exists and $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration.Status contains Suspended) 8ec3f878-0f5e-4782-b4cd-98018b217be5 s3
medium AWS SNS subscription is not configured with HTTPS $.Resources.*[?(@.Type == 'AWS::SNS::Subscription')].Properties.Protocol contains http b53e5177-96e1-4999-a9c8-6400190910bb sns
medium AWS SQS queue encryption using default KMS key instead of CMK $.Resources.*[?(@.Type == 'AWS::SQS::Queue')].Properties.KmsMasterKeyId contains alias/aws/sqs 0a626f64-d911-4366-b7dc-629a6557d7b5 sqs