Prisma Cloud IaC Scan

Scan CloudFormation, Terraform, Kubernetes deployment YAML files for security issues.

Kubernetes app YAML policies

Severity Policy Rule Description Resource Type
high All capabilities should be dropped $.spec.template.spec.containers[*].securityContext.capabilities.drop exists and !contains all Ensure that all capabilities are dropped. k8s
high Avoid running privileged containers $.spec.template.spec.containers[*].securityContext.privileged is true Ensure containers’ privileged is false. k8s
high Containers must be run as non-root $.spec.template.spec.containers[*].securityContext.runAsNonRoot exists and is false Ensure containers run as non-root. k8s
high Do not run containers as root $.spec.template.spec.securityContext.runAsUser < 1 Ensure running containers as non-root. k8s
high Do not share host network with containers $.spec.template.spec.hostNetwork is true Ensure not sharing host network with containers. k8s
low Do not allow volume claims to be read by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadOnlyMany Ensure not allowing volume claims to be read by many nodes. k8s
medium Do not allow sharing host IPC namespace $.spec.template.spec.hostIPC is true Ensure not allowing sharing host IPC namespace. k8s
medium Do not allow sharing host PID namespace $.spec.template.spec.hostPID is true Ensure not allowing sharing host PID namespace. k8s
medium Do not run containers with dangerous capabilities $.spec.template.spec.containers[*].securityContext.capabilities exists and $.spec.template.spec.containers[*].securityContext.capabilities.add[*] is member of (FSETID, SETUID, SETGID,SYS_CHROOT,SYS_PTRACE,CHOWN,NET_RAW,NET_ADMIN,SYS_ADMIN,NET_BIND_SERVICE) Ensure not running containers with dangerous capabilities. k8s
medium Ensure containers are immutable $.spec.template.spec.containers[*].securityContext.readOnlyRootFilesystem exists and is false Ensure containers are immutable. k8s
medium do not allow volume claims to be read-write by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadWriteMany Ensure not allowing volume claims to be read-write by many nodes. k8s
medium entrypoint of the container must be run with a user with a high ID $.spec.template.spec.containers[*].securityContext.runAsUser < 9999 Ensure entrypoint of the container runs with a user with a high ID. k8s

Terraform policies

Severity Policy Rule Description Resource Type
high Azure AKS enable role-based access control (RBAC) not enforced $.resource.*.azurerm_kubernetes_cluster[*].*[*].role_based_access_control anyNull or $.resource.*.azurerm_kubernetes_cluster[*].*[*].role_based_access_control[*].enabled anyFalse To provide granular filtering of the actions that users can perform, Kubernetes uses role-based access controls (RBAC). This control mechanism lets you assign users, or groups of users, permission to do things like create or modify resources, or view logs from running application workloads. These permissions can be scoped to a single namespace, or granted across the entire AKS cluster.This policy checks your AKS cluster RBAC setting and alerts if disabled. AKS
medium AWS VPC NACL allows egress traffic from blocked ports $.resource[*].aws_network_acl exists and $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow Ensure AWS VPC NACL blocks egress traffic from blocked ports AWS NACL egress rules
low AWS S3 CloudTrail buckets for which access logging is disabled $.resource[*].aws_cloudtrail[*].*[*].enable_logging anyFalse This policy identifies S3 CloudTrail buckets for which access is disabled.S3 Bucket access logging generates access records for each request made to your S3 bucket. An access log record contains information such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket AWS S3 cloudtrail logging
medium AWS VPC NACL allows traffic from blocked ports $.resource[*].aws_network_acl exists and $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow Ensure AWS VPC NACL blocks traffic from blocked ports AWS VPC NACL allow traffic
high AWS CloudTrail bucket is publicly accessible $.resource[*].aws_cloudtrail exists and $.resource[*].aws_cloudtrail[*].*[*].s3_bucket_name equals $.resource[*].aws_s3_bucket_public_access_block[*].*[*].bucket and ($.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_acls isFalse or $.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_policy isFalse) This policy identifies publicly accessible S3 buckets that store CloudTrail data. These buckets contains sensitive audit data and only authorized users and applications should have access. AWS_cloudtrail_s3_bucket
medium Azure App Service Web app authentication is off $.resource.*.azurerm_app_service[*].*[*].auth_settings[*].enabled anyFalse or $.resource.*.azurerm_app_service[*].*[*].auth_settings anyNull Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. App Service
medium Azure App Service Web app doesn't have a Managed Service Identity $.resource.*.azurerm_app_service[*].*[*].identity anyNull Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. App Service
medium Azure App Service Web app doesn't use latest TLS version $.resource.*.azurerm_app_service[*].*[*].site_config[?( @.min_tls_version!='1.2' && @.min_tls_version )] size greater than 0 Check if Azure app service uses latest TLS version App Service
medium Activity Log Retention should not be set to less than 365 days $.resource.*.azurerm_monitor_log_profile size greater than 0 and ( $.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy size equals 0 or $.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy[*].enabled anyFalse or $.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy[?(@.days<365)] size greater than 0 ) A Log Profile controls how your Activity Log is exported and retained. Since the average time to detect a breach is over 200 days, it is recommended to retain your activity log for 365 days or more in order to have time to respond to any incidents. Azure Activity Log
medium Azure Key Vault secrets have no expiration date $.resource.*.azurerm_key_vault_secret[*].*[*].expiration_date anyNull This policy identifies Azure Key Vault secrets that do not have an expiry date. As a best practice, set an expiration date for each secret and rotate the secret regularly Before you activate this policy, ensure that you have added the Redlock Service Principal to each Key Vault: https://docs.paloaltonetworks.com/redlock/redlock-admin/connect-your-cloud-platform-to-redlock/onboard-your-azure-account/set-up-your-azure-account.html Azure Key Vault Key
high Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 ($.resource[*].azurerm_network_security_rule exists and ($.resource[*].azurerm_network_security_rule.*[*].*.access contains Allow and $.resource[*].azurerm_network_security_rule.*[*].*.destination_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.source_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.destination_port_range contains 22 and $.resource[*].azurerm_network_security_rule.*[*].*.direction contains Inbound)) Blocking SSH port 22 will protect users from attacks like Account compromise. Azure Network Security Group
medium Azure Network Security Group (NSG) allows traffic from internet on port 3389 $.resource.*.azurerm_network_security_rule[*].*[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_ranges contains 3389 or $.resource.*.azurerm_network_security_rule[*].*[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_range equals 3389 Blocking RDP port 3389 will protect users from attacks like account compromise, Denial of service and ransomware. Azure Network Security Group
medium Azure Network Watcher Network Security Group (NSG) flow logs retention is less than 90 days $.resource.*.azurerm_network_security_group size greater than 0 and ($.resource.*.azurerm_network_watcher_flow_log size equals 0 or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].enabled anyNull or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].enabled anyFalse or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].retention_policy[*].enabled anyFalse or $.resource.*.azurerm_network_watcher_flow_log[*].*[*].retention_policy[?( @.days<90 )] size greater than 0) This policy identifies Azure Network Security Groups (NSG) for which flow logs retention period is 90 days or less. To perform this check, enable this action on the Azure Service Principal: ‘Microsoft.Network/networkWatchers/queryFlowLogStatus/action’. NSG flow logs, a feature of the Network Watcher app, enable you to view information about ingress and egress IP traffic through an NSG. As a best practice, enable NSG flow logs and set the log retention period to at least 90 days. Azure Network Security Group
high Azure SQL Server audit log retention is less than 91 days $.resource.*.azurerm_sql_database size greater than 0 and $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy size greater than 0 and ($.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].retention_days anyNull or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[?( @.retention_days<91 )] size greater than 0) Audit Logs can help you find suspicious events, unusual activity, and trends. Auditing the SQL server, at the server-level, allows you to track all existing and newly created databases on the instance. This policy identifies SQL servers which do not retain audit logs for more than 90 days. As a best practice, configure the audit logs retention time period to be greater than 90 days. Azure SQL Server
high Azure SQL server auditing is disabled $.resource.*.azurerm_sql_database size greater than 0 and ($.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy anyNull or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].state anyEqual Disabled) Audit logs can help you find suspicious events, unusual activity, and trends to analyze database events. Auditing the SQL Server, at the server-level, enables you to track all new and existing databases on the server. This policy identifies SQL servers do not have auditing enabled. As a best practice, enable auditing on each SQL server so that the database are audited, regardless of the database auditing settings. Azure SQL Server
medium Azure SQL Server advanced data security does not send alerts to service and co-administrators $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy anyNull or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].state anyEqual Disabled or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].email_account_admins anyNull or $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].email_account_admins anyFalse Advanced data security (ADS) provides a set of advanced SQL security capabilities, including vulnerability assessment, threat detection, and data discovery and classification. This policy identifies Azure SQL Servers that are not enabled with ADS. As a best practice, enable ADS so that the administrators—service and co-administrator—can receive email alerts when anomalous activities are detected on the SQL Servers. Azure SQL Server
medium Azure SQL Server advanced data security is disabled $.resource.*.azurerm_sql_server size greater than 0 and ($.resource.*.azurerm_mssql_server_security_alert_policy size == 0 or $.resource.*.azurerm_mssql_server_security_alert_policy[*].*[*].state anyEqual "Disabled" or $.resource.*.azurerm_mssql_server_security_alert_policy[*].*[*].retention_days anyNull ) Advanced data security (ADS) provides a set of advanced SQL security capabilities, including vulnerability assessment, threat detection, and data discovery and classification.This policy identifies Azure SQL servers that do not have ADS enabled. As a best practice, enable ADS on mission-critical SQL servers. Azure SQL Server
medium Azure SQL Server threat detection alerts not enabled for all threat types $.resource.*.azurerm_sql_database size greater than 0 and $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy size greater than 0 and $.resource.*.azurerm_sql_database[*].*[*].threat_detection_policy[*].disabled_alerts[*] size greater than 0 Audit logs can help you find suspicious events, unusual activity, and trends to analyze database events. Auditing the SQL Server, at the server-level, enables you to track all new and existing databases on the server. This policy identifies SQL servers do not have auditing enabled. As a best practice, enable auditing on each SQL server so that the database are audited, regardless of the database auditing settings. Azure SQL Server
medium SQL servers which do not have Azure Active Directory admin configured $.resource.*.azurerm_sql_server size greater than 0 and ($.resource.*.azurerm_sql_active_directory_administrator size equals 0) Checks to ensure that SQL servers are configured with Active Directory admin authentication. Azure Active Directory authentication is a mechanism of connecting to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Azure SQL Server
Medium Azure storage account logging for queues is disabled $.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.* size > 0 and ($.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.*.delete anyFalse or $.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.*.read anyFalse or $.resource.*.azurerm_storage_account.*.*.*.queue_properties.*.logging.*.write anyFalse ) Storage Logging records details of requests (read, write, and delete operations) against your Azure queues. The logs include additional information such as: 1) Tming and server latency. 2) Success or failure, and HTTP status code. 3) Authentication details This policy identifies Azure storage accounts that do not have logging enabled for queues. As a best practice, enable logging for read, write, and delete request types on queues. Azure Storage Account
medium Azure Storage Account 'Trusted Microsoft Services' access not enabled $.resource.*.azurerm_storage_account size greater than 0 and ($.resource.*.azurerm_storage_account[*].*[*].network_rules anyNull or $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].bypass anyNull or not ( $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].bypass allEqual "AzureServices" )) Some Microsoft services that interact with storage accounts operate from networks that can’t be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. Azure Storage Account
medium Azure Storage Account default network access is set to 'Allow' $.resource.*.azurerm_storage_account size greater than 0 and ( $.resource.*.azurerm_storage_account_network_rules[*].*[*].default_action anyEqual "Allow" or $.resource.*.azurerm_storage_account[*].*[*].network_rules[*].default_action anyEqual "Allow" ) Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. Azure Storage Account
medium Azure Virtual Machine does not have endpoint protection installed $.resource.*.azurerm_virtual_machine size greater than 0 and $.resource.*.azurerm_virtual_machine_extension[*].*[*].type does not contain EndpointSecurity and $.resource.*.azurerm_virtual_machine_extension[*].*[*].type does not contain TrendMicroDSA and $.resource.*.azurerm_virtual_machine_extension[*].*[*].type does not contain Antimalware and $.resource.*.azurerm_virtual_machine_extension[*].*[*].type does not contain EndpointProtection and $.resource.*.azurerm_virtual_machine_extension[*].*[*].type does not contain SCWPAgent and $.resource.*.azurerm_virtual_machine_extension[*].*[*].type does not contain PortalProtectExtension and $.resource.*.azurerm_virtual_machine_extension[*].*[*].type does not contain FileSecurity This policy identifies Azure Virtual Machines (VMs) that do not have endpoint protection installed. Installing endpoint protection systems (like Antimalware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. As a best practice, install endpoint protection on all VMs and computers to help identify and remove viruses, spyware, and other malicious software. Azure Virtual Machine
low AWS ECS/ Fargate task definition root user found $.resource[*].aws_ecs_task_definition[*].*[*].container_definitions[?(@.user=='root')] exists The user name to use inside the container should not be root. This policy generates an alert if root user is found in your container definition.The User parameter maps to User in the Create a container section of the Docker Remote API and the –user option to docker run.Note: This parameter is not supported for Windows containers. ECS task definition
medium SQL Instances with network authorization exposing them to the Internet $.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual 0.0.0.0/0 or $.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual ::/0 Checks to verify that the SQL instance should not have any authorization to allow network traffic to the internet. GCP SQL DB Instance
medium GCP VM instances have IP forwarding enabled $.resource[*].google_compute_instance_template[*].*.[*].can_ip_forward anyTrue This policy identifies VM instances have IP forwarding enabled. IP Forwarding could open unintended and undesirable communication paths and allows VM instances to send and receive packets with the non-matching destination or source IPs. To enable source and destination IP match check, disable the IP Forwarding. GCP VM instances
low GCP Kubernetes Engine Clusters have pod security policy disabled $.resource[*].google_container_cluster.*[*].*.pod_security_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.pod_security_policy_config.enabled anyFalse This policy identifies Kubernetes Engine Clusters which have pod security policy disabled. The Pod Security Policy defines a set of conditions that pods must meet to be accepted by the cluster; when a request to create or update a pod does not meet the conditions in the pod security policy, that request is rejected and an error is returned. GCP k8s pod_security
medium GCP Kubernetes Engine Clusters using the default network $.resource[*].google_project[*].*[*].auto_create_network anyTrue or $.resource[*].google_project[*].*[*].auto_create_network anyNull This policy identifies Google Kubernetes Engine (GKE) clusters that are configured to use the default network. Because GKE uses this network when creating routes and firewalls for the cluster, as a best practice define a network configuration that meets your security and networking requirements for ingress and egress traffic, instead of using the default network. Google Project
medium SQL Instances do not have SSL configured $.resource[*].google_sql_database_instance exists and $.resource[*].google_sql_ssl_cert !exists Checks to verify that the SSL configuration for the SQL instance is valid with an unexpired SSL certificate. Cloud SQL supports connecting to an instance using the Secure Socket Layer (SSL) protocol. If you are not connecting to an instance by using Cloud SQL Proxy, you should use SSL, so that the data you send and receive from Google Cloud SQL is secure. Google SQL instances
low GCP IAM user have overly permissive Cloud KMS roles $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/cloudkms.admin')].member startsWith "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/cloudkms.admin')].members any start with "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/cloudkms.admin' )].member startsWith "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/cloudkms.admin' )].members any start with "user:" This policy identifies IAM users who have overly permissive Cloud KMS roles. Built-in/Predefined IAM role Cloud KMS Admin allows the user to create, delete, and manage service accounts. Built-in/Predefined IAM role Cloud KMS CryptoKey Encrypter/Decrypter allows the user to encrypt and decrypt data at rest using the encryption keys. It is recommended to follow the principle of ‘Separation of Duties’ ensuring that one individual does not have all the necessary permissions to be able to complete a malicious action. IAM
low GCP IAM user with service account privileges $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].member startsWith "user:" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/iam.serviceAccountUser' || @.role=='roles/iam.serviceAccountActor' || @.role=='roles/iam.serviceAccountTokenCreator' )].members any start with "user:" Checks to ensure that IAM users don’t have service account privileges. Adding any user as service account actor will enable these users to have service account privileges. Adding only authorized corporate IAM users as service account actors will make sure that your information is secure. IAM
medium GCP IAM Service account has admin privileges $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_organization_iam_binding[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_organization_iam_member[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_project_iam_binding[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].member endsWith ".gserviceaccount.com" or $.resource[*].google_project_iam_member[*].*[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com" This policy identifies service accounts which have admin privileges. Application uses the service account to make requests to the Google API of a service so that the users aren’t directly involved. It is recommended not to use admin access for ServiceAccount. IAM
high AWS Security Groups allow internet traffic to SSH port (22) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].ipv6_cidr_blocks[*] contains ::/0) This policy identifies AWS Security Groups which do allow inbound traffic on SSH port (22) from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network. Security Group ingress rule
medium AWS RDS event subscription disabled for DB security groups $.resource[*].aws_db_instance exists and ( $.resource[*].aws_db_event_subscription !exists or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')] anyNull or not $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyNull or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyTrue ) This policy identifies RDS event subscriptions for which DB security groups event subscription is disabled. You can create an Amazon RDS event notification subscription so that you can be notified when an event occurs for given DB security groups. aws_db_event_subscription
medium Azure App Service Web app doesn't redirect HTTP to HTTPS $.resource[*].azurerm_app_service.*.*.* size > 0 and ($.resource[*].azurerm_app_service[*].*.*.https_only anyNull or $.resource[*].azurerm_app_service[*].*.*.https_only anyFalse) Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. azurerm_app_service
medium Azure App Service Web app doesn't require Client Certs $.resource[*].azurerm_app_service exists and ($.resource[*].azurerm_app_service[*].*.*.client_cert_enabled anyNull or $.resource[*].azurerm_app_service[*].*.*.client_cert_enabled anyFalse) Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. azurerm_app_service
medium Azure App Service Web app doesn't use HTTP 2.0 $.resource[*].azurerm_app_service.*.*.* size > 0 and ($.resource[*].azurerm_app_service[*].*.*.http2_enabled anyNull or $.resource[*].azurerm_app_service[*].*.*.http2_enabled anyFalse) HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1’s chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming. azurerm_app_service
medium Azure App Service Web app doesn't use latest .Net Core version $.resource.*.azurerm_app_service[*].*[*].site_config[?( @.dotnet_framework_version !='v4.0' && @.dotnet_framework_version )] size greater than 0 Periodically, newer versions are released for .Net Core software either due to security flaws or to include additional functionality. Using the latest .Net Core version for web apps is recommended in order to take advantage of security fixes, if any. azurerm_app_service
high Azure storage accounts has blob container(s) with public access $.resource.*.azurerm_storage_blob size greater than 0 and $.resource.*.azurerm_storage_container size greater than 0 and $.resource.*.azurerm_storage_container[*].*.[*].container_access_type anyEqual blob or $.resource.*.azurerm_storage_container[*].*.[*].container_access_type anyEqual container This policy identifies blob containers within an Azure storage account that allow anonymous/public access (‘CONTAINER’ or ‘BLOB’). As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers. azurerm_storage_blob
medium AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs) $.resource[*].aws_cloudtrail exists and ($.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyNull or $.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyEmpty) Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitive information. cloudtrail
medium AWS ECS/ Fargate task definition execution IAM Role not found $.resource[*].aws_ecs_task_definition exists and $.resource[*].aws_ecs_task_definition[*].*[*].container_definitions exists and ($.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyNull or $.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyEmpty) The execution IAM Role is required by tasks to pull container images and publish container logs to Amazon CloudWatch on your behalf. This policy generates an alert if a task execution role is not found in your task definition. ecs
high AWS EKS unsupported Master node version $.resource[*].aws_eks_cluster[*].*[*].version anyStartWith 1.9. Ensure your EKS Master node version is supported. This policy checks your EKS master node version and generates an alert if the version running is unsupported. eks
medium AWS ElasticSearch cluster not in a VPC $.resource[*].aws_elasticsearch_domain exists and $.resource[*].aws_elasticsearch_domain[*].*[*].vpc_options does not exist VPC support for Amazon ES is easy to configure, reliable, and offers an extra layer of security. With VPC support, traffic between other services and Amazon ES stays entirely within the AWS network, isolated from the public Internet. You can manage network access using existing VPC security groups, and you can use AWS Identity and Access Management (IAM) policies for additional protection. VPC support for Amazon ES domains is available at no additional charge. elasticsearch
medium GCP VPC Network subnets have Private Google access disabled $.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyNull or $.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyFalse This policy identifies GCP VPC Network subnets have disabled Private Google access. Private Google access enables virtual machine instances on a subnet to reach Google APIs and services using an internal IP address rather than an external IP address. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. google compute subnetwork
medium GCP Projects have OS Login disabled $.resource[*].google_compute_project_metadata_item.[*].[*].[*].key exists and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].key == enable-oslogin and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].value exists and $.resource[*].google_compute_project_metadata_item.[*].[*].[*].value == FALSE This policy identifies GCP Projects which have OS Login disabled. Enabling OS Login ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like a response to compromised SSH key pairs. google_compute_project
medium GCP Storage buckets are publicly accessible to all authenticated users $.resource[*].google_storage_bucket_access_control[*].*[*].entity contains allUsers This policy identifies the buckets which are publicly accessible to all authenticated users. Enabling public access to Storage Buckets enables anybody with a web association to access sensitive information that is critical to business. Access over a whole bucket is controlled by IAM. Access to individual objects within the bucket is controlled by its ACLs. google_storage_bucket_access_control
medium AWS IAM password policy does not expire in 90 days $.resource[*].aws_iam_account_password_policy[*].*[?( @.max_password_age>90 )] is not empty This policy identifies the IAM policies which does not have password expiration set to 90 days. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place. iam_account_password
medium AWS IAM password policy does not have a lowercase character $.resource[*].aws_iam_account_password_policy[*].*[*].require_lowercase_characters anyFalse Checks to ensure that IAM password policy requires a lowercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place. iam_account_password
medium AWS IAM password policy does not have a minimum of 14 characters $.resource[*].aws_iam_account_password_policy[*].*[?( @.minimum_password_length<14 )] is not empty Checks to ensure that IAM password policy requires minimum of 14 characters. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place. iam_account_password
medium AWS IAM password policy does not have a number $.resource[*].aws_iam_account_password_policy[*].*[*].require_numbers anyFalse Checks to ensure that IAM password policy requires a number. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place. iam_account_password
medium AWS IAM password policy does not have a symbol $.resource[*].aws_iam_account_password_policy[*].*[*].require_symbols anyFalse Checks to ensure that IAM password policy requires a symbol. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place. iam_account_password
medium AWS IAM password policy does not have a uppercase character $.resource[*].aws_iam_account_password_policy[*].*[*].require_uppercase_characters anyFalse Checks to ensure that IAM password policy requires an uppercase character. AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place. iam_account_password
medium AWS IAM password policy allows password reuse $.resource[*].aws_iam_account_password_policy[*].*[*].password_reuse_prevention == 0 This policy identifies IAM policies which allow password reuse . AWS IAM (Identity & Access Management) allows customers to secure AWS console access. As a security best practice, customers must have strong password policies in place. iam_account_password_policy
low AWS IAM policy attached to users $.resource[*].aws_iam_policy_attachment[*].*[*].users exists and $.resource[*].aws_iam_policy_attachment[*].*[*].users[*] is not empty This policy identifies IAM policies attached to user.By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. iam_policy_attachment
medium GCP Kubernetes Engine Cluster Nodes have default Service account for Project access $.resource[*].google_container_cluster[*].*[*].node_config anyNull or $.resource[*].google_container_cluster[*].*[*].node_config[*].service_account anyNull This policy identifies Kubernetes Engine Cluster Nodes which have default Service account for Project access. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access and more permissions than are required to run your Kubernetes Engine cluster. You should create and use a least privileged service account to run your Kubernetes Engine cluster instead of using the Compute Engine default service account. If you are not creating a separate service account for your nodes, you should limit the scopes of the node service account to reduce the possibility of a privilege escalation in an attack. k8s container cluster service account
medium AWS Customer Master Key (CMK) rotation is not enabled $.resource[*].aws_kms_key exists and ( $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyFalse or $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyNull) Checks to ensure that CMKs are rotated periodically. AWS KMS (Key Management Service) allows customers to create master keys to encrypt sensitive data in different services. As a security best practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys kms
low GCP Kubernetes Engine Clusters Client Certificate is set to Disabled $.resource[*].google_container_cluster[*].*.*.master_auth[*].client_certificate_config[*].issue_client_certificate anyTrue This policy identifies Kubernetes Engine Clusters which have disabled Client Certificate. A client certificate is a base64-encoded public certificate used by clients to authenticate to the cluster endpoint. Enabling Client Certificate will provide more security to authenticate users to the cluster. kubernetes engine
low GCP Kubernetes Engine Clusters have Alias IP disabled $.resource[*].google_container_cluster exists and $.resource[*].google_container_cluster[*].*.*.ip_allocation_policy does not exist This policy identifies Kubernetes Engine Clusters which have disabled Alias IP. Alias IP allows the networking layer to perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs. By enabling Alias IPs, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to Google Cloud Platform. This makes your cluster more scalable and allows your cluster to better interact with other GCP products and entities. kubernetes engine
low GCP Kubernetes Engine Clusters have HTTP load balancing disabled $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.addons_config[*].http_load_balancing[*].disabled anyTrue) This policy identifies GCP Kubernetes Engine Clusters which have disabled HTTP load balancing. HTTP/HTTPS load balancing provides global load balancing for HTTP/HTTPS requests destined for your instances. Enabling HTTP/HTTPS load balancers will let the Kubernetes Engine to terminate unauthorized HTTP/HTTPS requests and make better context-aware load balancing decisions. kubernetes engine
low GCP Kubernetes Engine Clusters not configured with private cluster $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.private_cluster_config anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyFalse) This policy identifies Kubernetes Engine Clusters which are not configured with the Private cluster. Private cluster makes your master inaccessible from the public internet and nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. kubernetes engine
low GCP Kubernetes Engine Clusters not using Container-Optimized OS for Node image $.resource[*].google_container_node_pool exists and ($.resource[*].google_container_node_pool.*[*].*.node_config anyNull or $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type anyNull or not $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type allStartWith cos ) This policy identifies Kubernetes Engine Clusters which do not have a container-optimized operating system for node image. Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. By using Container-Optimized OS for node image, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. The Container-Optimized OS node image is based on a recent version of the Linux kernel and is optimized to enhance node security. It is also regularly updated with features, security fixes, and patches. The Container-Optimized OS image provides better support, security, and stability than other images. kubernetes engine
medium GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled $.resource.*.google_container_cluster.*.*.*.master_auth exists and not ($.resource.*.google_container_cluster.*.*.*.master_auth.*.password is empty and $.resource.*.google_container_cluster.*.*.*.master_auth.*.username is empty) This policy identifies Kubernetes Engine Clusters which have enabled Basic authentication. Basic authentication allows a user to authenticate to the cluster with a username and password. Disabling Basic authentication will prevent attacks like brute force. Authenticate using client certificate or IAM. kubernetes engine
medium GCP Kubernetes Engine Clusters have Legacy Authorization enabled $.resource[*].google_container_cluster.*.*[*].enable_legacy_abac anyTrue This policy identifies GCP Kubernetes Engine Clusters which have enabled legacy authorizer. The legacy authorizer in Kubernetes Engine grants broad and statically defined permissions to all cluster users. After legacy authorizer setting is disabled, RBAC can limit permissions for authorized users based on need. kubernetes engine
medium GCP Kubernetes Engine Clusters have Master authorized networks disabled $.resource[*].google_container_cluster[*].*.*.master_authorized_networks_config anyNull This policy identifies Kubernetes Engine Clusters which have disabled Master authorized networks. Enabling Master authorized networks will let the Kubernetes Engine block untrusted non-GCP source IPs from accessing the Kubernetes master through HTTPS. kubernetes engine
medium GCP Kubernetes Engine Clusters have Network policy disableds $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.network_policy anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyTrue) This policy identifies Kubernetes Engine Clusters which have disabled Network policy. A network policy defines how groups of pods are allowed to communicate with each other and other network endpoints. By enabling network policy in a namespace for a pod, it will reject any connections that are not allowed by the network policy. kubernetes engine
medium GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled $.resource[*].google_container_cluster exists and $.resource[*].google_container_cluster.*[*].*.addons_config[*].kubernetes_dashboard[*].disabled anyFalse This policy identifies Kubernetes Engine Clusters which have enabled Kubernetes web UI/Dashboard. Since all the data is being transmitted over HTTP protocol, disabling Kubernetes web UI/Dashboard will protect the data from sniffers on the same network. kubernetes engine
medium GCP Kubernetes cluster Application-layer Secrets not encrypteds $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster[*].*[*].database_encryption anyNull or $.resource[*].google_container_cluster[*].*[*].database_encryption[*].state any equal DECRYPTED) Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as Secrets, stored in etcd. Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt data at the application layer. This protects against attackers who gain access to an offline copy of etcd.This policy checks your cluster for the Application-layer Secrets Encryption security feature and alerts if it is not enabled. kubernetes engine
medium GCP Kubernetes cluster istioConfig not enabled $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.addons_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*] anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyTrue) Istio is an open service mesh that provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between services, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.This policy checks your cluster for the Istio add-on feature and alerts if it is not enabled. kubernetes engine
high AWS RDS snapshots are accessible to public $.resource[*].aws_db_instance exists and ($.resource[*].aws_db_instance[*].*[*].publicly_accessible !exists or $.resource[*].aws_db_instance[*].*[*].publicly_accessible anyTrue) This policy identifies AWS RDS snapshots which are accessible to public. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to setup and manage databases. If RDS snapshots are inadvertently shared to public, any unauthorized user with AWS console access can gain access to the snapshots and gain access to sensitive data. rds
medium AWS Redshift does not have require_ssl configured $.resource[*].aws_redshift_parameter_group exists and ($.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl')] !exists or $.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl' && @.value=='false' )] exists) This policy identifies Redshift databases in which data connection to and from is occurring on an insecure channel. SSL connections ensures the security of the data in transit. redshift
high AWS S3 buckets are accessible to public $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read-write or $.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read) This policy identifies S3 buckets which are publicly accessible. Amazon S3 allows customers to store or retrieve any type of content from anywhere in the web. Often, customers have legitimate reasons to expose the S3 bucket to public, for example, to host website content. However, these buckets often contain highly sensitive enterprise data which if left open to public may result in sensitive data leaks. s3
medium AWS S3 CloudTrail buckets for which access logging is disabled $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket[*].*[*].logging anyNull) This policy identifies S3 CloudTrail buckets for which access is disabled.S3 Bucket access logging generates access records for each request made to your S3 bucket. An access log record contains information such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket s3
medium AWS S3 Object Versioning is disabled $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled does not exist or $.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled anyFalse) This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3. s3
high AWS Default Security Group does not restrict all traffic $.resource[*].aws_default_security_group exists and ($.resource[*].aws_default_security_group[*].*[*].ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].ingress[*].ipv6_cidr_blocks[*] contains ::/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].ipv6_cidr_blocks[*] contains ::/0) This policy identifies the default security group which does not restrict all inbound and outbound traffic. A VPC comes with a default security group whose initial configuration deny all inbound traffic from internet and allow all outbound traffic. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. As a result, the instance may accidentally send outbound traffic. security group
high AWS Security Groups allow internet traffic from internet to RDP port (3389) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388)].ipv6_cidr_blocks[*] contains ::/0) This policy identifies the security groups which is exposing RDP port (3389) to the internet. Security Groups do not allow inbound traffic on RDP port (3389) from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network. security group
high AWS Security Groups allow internet traffic to SSH port (22) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].ipv6_cidr_blocks[*] contains ::/0) This policy identifies AWS Security Groups which do allow inbound traffic on SSH port (22) from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network. security group
high AWS Security Groups with Inbound rule overly permissive to All Traffic ($.resource[*].aws_security_group exists and ($.resource[*].aws_security_group.*[*].*.ingress[*].protocol equals -1 and ($.resource[*].aws_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0))) or ($.resource[*].aws_security_group_rule exists and ($.resource[*].aws_security_group_rule.*[*].*.protocol equals -1 and $.resource[*].aws_security_group_rule.*[*].*.type equals ingress and ($.resource[*].aws_security_group_rule.*[*].*.cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group_rule.*[*].*.ipv6_cidr_blocks[*] contains ::/0))) This policy identifies AWS Security Groups which do allow inbound traffic on all protocols from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network. security group
medium AWS security group allows egress traffic to blocked ports - 21,22,135,137-139,445,69 $.resource[*].aws_security_group exists and $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 Ensure AWS security groups block egress traffic to blocked ports - 21,22,135,137-139,445,69. security group
medium AWS security groups allow ingress traffic from blocked ports $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 Ensure AWS security groups block ingress ingress traffic from blocked ports - 21,22,135,137-139,445,69. security group
medium GCP User managed service accounts have user managed service account keys $.resource[*].google_service_account_key[*].*[*].service_account_id contains google_service_account or $.resource[*].google_service_account_key[*].*[*].service_account_id any end with iam.gserviceaccount.com This policy identifies user managed service accounts that use user managed service account keys instead of Google-managed. For user-managed keys, the User has to take ownership of key management activities. Even after owner precaution, keys can be easily leaked by common development malpractices like checking keys into the source code or leaving them in downloads directory or accidentally leaving them on support blogs/channels. So It is recommended to limit the use of User-managed service account keys and instead use Google-managed keys which can not be downloaded. service account key
low GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK) $.resource[*].google_compute_disk exists and $.resource[*].google_compute_disk.*.[*].*.disk_encrypt_key does not exist This policy identifies VM disks which are not encrypted with Customer-Supplied Encryption Keys (CSEK). If you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data. It is recommended to use VM disks encrypted with CSEK for business-critical VM instances. storage
medium GCP Storage log buckets have object versioning disabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.versioning anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyFalse) This policy identifies Storage log buckets which have object versioning disabled. Enabling object versioning on storage log buckets will protect your cloud storage data from being overwritten or accidentally deleted. It is recommended to enable object versioning feature on all storage buckets where sinks are configured. storage
medium Storage Accounts without Secure transfer enabled $.resource[*].azurerm_storage_account exists and ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyNull or $.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyFalse) The secure transfer option enhances the security of your storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access your storage accounts, you must connect using HTTPs. Any requests using HTTP will be rejected when ‘secure transfer required’ is enabled. When you are using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name. storage
medium Storage Bucket does not have Access and Storage Logging enabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.logging anyNull or $.resource[*].google_storage_bucket.*[*].*.logging[*].log_bucket anyEmpty) Checks to verify that the configuration on the Storage Buckets is enabled for access logs and storage logs. storage
medium AWS VPC allows unauthorized peering $.resource[*].aws_vpc_peering_connection[*].*[*].peer_vpc_id does not equal $.resource[*].aws_vpc_peering_connection[*].*[*].vpc_id This policy identifies the VPCs which have unauthorized peering. The recommended best practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources. vpc

CloudFormation policies

Severity Policy Rule Description Resource Type
medium AWS Customer Master Key (CMK) rotation is not enabled $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation any null or $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation anyFalse Checks to ensure that CMKs are rotated periodically. AWS KMS (Key Management Service) allows customers to create master keys to encrypt sensitive data in different services. As a security best practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys AWS Customer Master Key (CMK)
medium AWS CloudTrail is not enabled in all regions $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any null or $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail anyFalse Checks to ensure that CloudTrail is enabled across all regions. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail across different regions to get a complete audit trail of activities across various services. AWS cloudtrail
medium AWS IAM policy attached to users $.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users exists and $.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users[*] is not empty This policy identifies IAM policies attached to user.By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. AWS_IAM_policy
medium AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs) $.Resources.*[?(@.Type == 'AWS::CloudTrail::Trail')] size > 0 and ($.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyNull or $.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyEmpty ) Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitive information. cloudtrail
medium AWS VPC subnets should not allow automatic public IP assignment $.Resources.*[?(@.Type == 'AWS::EC2::Subnet')].Properties.MapPublicIpOnLaunch anyTrue This policy identifies VPC subnets which allow automatic public IP assignment. VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to ‘No’ post creation of the Subnet. ec2
high AWS ECS task definition elevated privileges enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Privileged any equal true Ensure your ECS containers are not given elevated privileges on the host container instance.When the Privileged parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).This policy checks the security configuration of your task definition and alerts if elevated privileges are enabled.Note: This parameter is not supported for Windows containers or tasks using the Fargate launch type. ecs
low AWS ECS task definition readonlyRootFilesystem not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any equal false Check if AWS ECS task definition readonlyRootFilesystem is enabled ecs
medium AWS ECS task definition logging not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration.LogDriver any null Check if AWS ECS task definition logging is enabled ecs
medium AWS ECS task definition resource limits not set $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any equal 0 or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any null and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any null) or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any equal 0 and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any equal 0) Check if AWS ECS task definition resource limits are set ecs
medium AWS ElasticSearch cluster not in a VPC $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions any null or ($.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists and $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions.SubnetIds any null) VPC support for Amazon ES is easy to configure, reliable, and offers an extra layer of security. With VPC support, traffic between other services and Amazon ES stays entirely within the AWS network, isolated from the public Internet. You can manage network access using existing VPC security groups, and you can use AWS Identity and Access Management (IAM) policies for additional protection. VPC support for Amazon ES domains is available at no additional charge. elasticsearch
high AWS RDS instance is not encrypted $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any equal false This policy identifies AWS RDS instances which are not encrypted. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up and manage databases. Amazon allows customers to turn on encryption for RDS which is recommended for compliance and security reasons. rds
high AWS RDS snapshots are accessible to public $.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')] exists and $.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')].Properties.PubliclyAccessible anyTrue This policy identifies AWS RDS snapshots which are accessible to public. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to setup and manage databases. If RDS snapshots are inadvertently shared to public, any unauthorized user with AWS console access can gain access to the snapshots and gain access to sensitive data. rds
low AWS RDS instance with copy tags to snapshots disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any equal false This policy identifies RDS instances which have copy tags to snapshots disabled. Copy tags to snapshots copies all the user-defined tags from the DB instance to snapshots. Copying tags allow you to add metadata and apply access policies to your Amazon RDS resources. rds
low AWS RDS instance without Automatic Backup setting $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.BackupRetentionPeriod any equal 0 This policy identifies RDS instances which are not set with the Automatic Backup setting. If Automatic Backup is set, RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases which provide for point-in-time recovery. The automatic backup will happen during the specified backup window time and keeps the backups for a limited period of time as defined in the retention period. It is recommended to set Automatic backups for your critical RDS servers that will help in the data restoration process. rds
medium AWS RDS instance with Multi-Availability Zone disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.MultiAZ any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.MultiAZ any false This policy identifies RDS instances which have Multi-Availability Zone(Multi-AZ) disabled. When RDS DB instance is enabled with Multi-AZ, RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different availability zone. These Multi-AZ deployments will improve primary node reachability by providing read replica in case of network connectivity loss or loss of availability in the primary’s availability zone for read/write operations, so by making them the best fit for production database workloads. rds
high AWS Redshift instances are not encrypted $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted any null or $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted anyFalse This policy identifies AWS Redshift instances which are not encrypted. These instances should be encrypted for clusters to help protect data at rest which otherwise can result in a data breach. redshift
medium AWS Redshift clusters should not be publicly accessible $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.PubliclyAccessible any true This policy identifies AWS Redshift clusters which are accessible publicly. redshift
medium AWS Redshift database does not have audit logging enabled $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.LoggingProperties any null Audit logging is not enabled by default in Amazon Redshift. When you enable logging on your cluster, Amazon Redshift creates and uploads logs to Amazon S3 that capture data from the creation of the cluster to the present time. redshift
high AWS S3 buckets are accessible to public ($.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicRead or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicReadWrite) This policy identifies S3 buckets which are publicly accessible. Amazon S3 allows customers to store or retrieve any type of content from anywhere in the web. Often, customers have legitimate reasons to expose the S3 bucket to public, for example, to host website content. However, these buckets often contain highly sensitive enterprise data which if left open to public may result in sensitive data leaks. s3
low AWS S3 buckets do not have server side encryption $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption any null or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm any null Customers can protect the data in S3 buckets using the AWS server-side encryption. If the server-side encryption is not turned on for S3 buckets with sensitive data, in the event of a data breach, malicious users can gain access to the data.NOTE: Do NOT enable this policy if you are using ‘Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C).’ s3
medium AWS S3 CloudTrail buckets for which access logging is disabled $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.LoggingConfiguration any null This policy identifies S3 CloudTrail buckets for which access is disabled.S3 Bucket access logging generates access records for each request made to your S3 bucket. An access log record contains information such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket s3
medium AWS S3 Object Versioning is disabled $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration does not exist or ($.Resources[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration exists and $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration.Status contains Suspended) This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3. s3
medium AWS security groups allow ingress traffic from blocked ports - 21,22,135,137-139,445,69 $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '22' && @.ToPort == '22' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '22' && @.ToPort == '22' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '21' && @.ToPort == '21' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '21' && @.ToPort == '21' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5800' && @.ToPort == '5800' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5800' && @.ToPort == '5800' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5900' && @.ToPort == '5900' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5900' && @.ToPort == '5900' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '2323' && @.ToPort == '2323' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '2323' && @.ToPort == '2323' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '23' && @.ToPort == '23' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '23' && @.ToPort == '23' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '25' && @.ToPort == '25' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '25' && @.ToPort == '25' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '110' && @.ToPort == '110' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '110' && @.ToPort == '110' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '143' && @.ToPort == '143' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '143' && @.ToPort == '143' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == '-1' && @.FromPort == '53' && @.ToPort == '53' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '53' && @.ToPort == '53' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'udp' && @.FromPort == '135' && @.ToPort == '135' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '135' && @.ToPort == '135' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == '-1' && @.FromPort == '137' && @.ToPort == '137' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '137' && @.ToPort == '137' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'udp' && @.FromPort == '69' && @.ToPort == '69' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '69' && @.ToPort == '69' && @.CidrIp6 == '::/0')] size greater than 0 Ensure if AWS security groups block ingress traffic from blocked ports - 21,22,135,137-139,445,69 security group
medium AWS SNS subscription is not configured with HTTPS $.Resources.*[?(@.Type == 'AWS::SNS::Subscription')].Properties.Protocol contains http This policy identifies SNS subscriptions using HTTP instead of HTTPS as the delivery protocol in order to enforce SSL encryption for all subscription requests. It is strongly recommended use only HTTPS-based subscriptions by implementing secure SNS topic policies. sns
medium AWS SQS queue encryption using default KMS key instead of CMK $.Resources.*[?(@.Type == 'AWS::SQS::Queue')].Properties.KmsMasterKeyId contains alias/aws/sqs This policy identifies SQS queues which are encrypted with default KMS keys and not with Customer Master Keys(CMKs). It is a best practice to use customer managed Master Keys to encrypt your SQS queue messages. It gives you full control over the encrypted messages data. sqs