Prisma Public Cloud IaC Scan API (BETA)

Scan CloudFormation, Terraform, Kubernetes deployment YAML files for security issues.

Kubernetes app YAML policies

Severity Policy Rule ID Resource Type
high all capabilities should be dropped $.spec.template.spec.containers[*].securityContext.capabilities.drop exists and !contains all 4682a6f1-2a1b-4f5a-938c-cdd3fa421a63 k8s
high avoid running privileged containers $.spec.template.spec.containers[*].securityContext.privileged is true 92714c07-d12b-4635-ae6a-514c5c428c5a k8s
high containers must be run as non-root $.spec.template.spec.containers[*].securityContext.runAsNonRoot exists and is false 2e22737c-a5b8-4808-8a8b-d99fc7e99505 k8s
high do not run containers as root $.spec.template.spec.securityContext.runAsUser < 1 314eba46-a376-43f6-9a0a-8517818301f1 k8s
high do not share host network with containers $.spec.template.spec.hostNetwork is true 99544e17-fc8f-4c77-963e-083ab80c53b0 k8s
low do not allow volume claims to be read by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadOnlyMany 802f2ed9-0b0d-4627-bf1a-7cb0ccfdd71c k8s
medium do not allow sharing host IPC namespace $.spec.template.spec.hostIPC is true 344fb01c-7195-3e9f-47e1-c640733af43f k8s
medium do not allow sharing host PID namespace $.spec.template.spec.hostPID is true 4c5d00c1-8f60-40bc-9566-a5b4e019752a k8s
medium do not allow volume claims to be read-write by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadWriteMany f9bcb4b8-3f22-448a-8521-9e09e3a994e0 k8s
medium do not run containers with dangerous capabilities $.spec.template.spec.containers[*].securityContext.capabilities exists and $.spec.template.spec.containers[*].securityContext.capabilities.add[*] is member of (FSETID, SETUID, SETGID,SYS_CHROOT,SYS_PTRACE,CHOWN,NET_RAW,NET_ADMIN,SYS_ADMIN,NET_BIND_SERVICE) 135420a6-3206-4c29-b944-846f65cea43e k8s
medium ensure containers are immutable $.spec.template.spec.containers[*].securityContext.readOnlyRootFilesystem exists and is false c448b01c-7f95-4e9f-97e1-c640733af44f k8s
medium entrypoint of the container must be run with a user with a high ID $.spec.template.spec.containers[*].securityContext.runAsUser < 9999 6e06b1a6-7eea-4730-91c2-9ac3fb676dce k8s

Terraform policies

Severity Policy Rule ID Resource Type
medium AWS VPC NACL allow egress traffic from blocked ports $.resource[*].aws_network_acl exists and $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow de727ef6-60b0-46b9-a056-29830952c986 AWS NACL egress rules
low AWS S3 CloudTrail buckets for which access logging is disabled $.resource[*].aws_cloudtrail[*].*[*].enable_logging anyFalse 82578260-f754-4e0e-ba6b-a06b9e36ad5b AWS S3 cloudtrail logging
medium AWS VPC NACL allows traffic from blocked ports $.resource[*].aws_network_acl exists and $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow 1cc0ec13-4079-4e27-b597-9edf83a1cd93 AWS VPC NACL allow traffic
medium AWS security group allows traffic from blocked ports $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 9731fe16-636f-477a-b083-6d90c66d2c0b AWS security group ingress ports
high AWS CloudTrail bucket is publicly accessible $.resource[*].aws_cloudtrail exists and $.resource[*].aws_cloudtrail[*].*[*].s3_bucket_name equals $.resource[*].aws_s3_bucket_public_access_block[*].*[*].bucket and ($.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_acls isFalse or $.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_policy isFalse) fc24c16c-f3cc-43b0-aa0e-ba32f5e234d3 AWS_cloudtrail_s3_bucket
low AWS ECS task definition root user found $.resource[*].aws_ecs_task_definition[*].*[*].container_definitions[?(@.user=='root')] exists d7cf6d0e-e515-4d0f-b93d-c88932c60172 ECS task definition
medium SQL instances with network authorization exposing them to the internet $.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual 0.0.0.0/0 or $.resource[*].google_sql_database_instance[*].*[*].settings[*].ip_configuration[*].authorized_networks[*].value anyEqual ::/0 32865329-308b-4a18-bcf5-fe71423d8770 GCP SQL DB Instance
medium GCP VM instances have IP forwarding enabled $.resource[*].google_compute_instance_template[*].*.[*].can_ip_forward anyTrue c52cef1e-cb56-43dc-8708-fbff0e64b59a GCP VM instances
low GCP Kubernetes Engine Clusters have pod security policy disabled $.resource[*].google_container_cluster.*[*].*.pod_security_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.pod_security_policy_config.enabled anyFalse b24c52e5-948c-4335-b8e0-c44b86b69538 GCP k8s pod_security
medium GCP project is using default network $.resource[*].google_project[*].*[*].auto_create_network anyTrue or $.resource[*].google_project[*].*[*].auto_create_network anyNull 2d372220-3125-48ec-915b-30f0fc5220fb Google Project
medium AWS security group allow egress traffic from blocked ports - 21,22,135,137-139,445,69 $.resource[*].aws_security_group exists and $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 2b47072f-0d2b-45a5-aa2d-1db80974176e Security Group egress traffic
medium AWS EC2 instance have SSH port open to internet $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].ipv6_cidr_blocks[*] contains ::/0) c2bcdbe7-7c2c-48bc-a0f7-37e1b9766385 Security Group ingress rule
medium AWS RDS event subscription disabled for DB security groups $.resource[*].aws_db_instance exists and ( $.resource[*].aws_db_event_subscription !exists or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')] anyNull or not $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyNull or $.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled anyTrue ) b81ceb53-e21a-4456-a35b-ece94323637b aws_db_event_subscription
medium AWS CloudTrail logs are not encrypted using Customer Master Keys $.resource[*].aws_cloudtrail exists and ($.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyNull or $.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyEmpty) 07a06f60-1532-4e2e-b91c-8f972a96f1a9 cloudtrail
medium AWS ECS task definition execution IAM Role not found $.resource[*].aws_ecs_task_definition exists and $.resource[*].aws_ecs_task_definition[*].*[*].container_definitions exists and ($.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyNull or $.resource[*].aws_ecs_task_definition[*].*[*].execution_role_arn anyEmpty) a76c8132-7cc3-40b1-a417-d3a41fc44f89 ecs
high AWS Kubernetes unsupported master node version $.resource[*].aws_eks_cluster[*].*[*].version anyStartWith 1.9. 60440266-3d03-41ce-ba8c-d51ccbdb6804 eks
medium AWS ElasticSearch cluster not in a VPC $.resource[*].aws_elasticsearch_domain exists and $.resource[*].aws_elasticsearch_domain[*].*[*].vpc_options does not exist 28ee2708-305a-4b23-acf0-535ab45b96ab elasticsearch
medium GCP VPC network subnets have Private Google access disabled $.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyNull or $.resource[*].google_compute_subnetwork[*].*[*].private_ip_google_access anyFalse 1af7b784-5c6c-43c0-a736-dc5e47cc235a google compute subnetwork
medium GCP storage bucket are publicly accessible to all users $.resource[*].google_storage_bucket_access_control[*].*[*].entity contains allUsers 0716cf97-9f82-46ae-8b35-09f2ee41d136 google_storage_bucket_access_control
medium AWS IAM password policy does not expire in 90 days $.resource[*].aws_iam_account_password_policy[*].*[?( @.max_password_age>90 )] is not empty cb4e7ef6-b4b4-45a5-9ae5-194d3a0e12e9 iam_account_password
medium AWS IAM password policy does not have a lowercase character $.resource[*].aws_iam_account_password_policy[*].*[*].require_lowercase_characters anyFalse 77c2d5a8-071f-48b9-9de0-5917e9b4548d iam_account_password
medium AWS IAM password policy does not have a minimum of 14 characters $.resource[*].aws_iam_account_password_policy[*].*[?( @.minimum_password_length<14 )] is not empty 7228106b-f82f-4d2e-a1a0-73fd15f70637 iam_account_password
medium AWS IAM password policy does not have a number $.resource[*].aws_iam_account_password_policy[*].*[*].require_numbers anyFalse 41fdae49-6fc7-4bc9-80e4-2cbb2262ab7a iam_account_password
medium AWS IAM password policy does not have a symbol $.resource[*].aws_iam_account_password_policy[*].*[*].require_symbols anyFalse f8013bbf-21b8-4e81-b6ef-7b568407129c iam_account_password
medium AWS IAM password policy does not have a uppercase character $.resource[*].aws_iam_account_password_policy[*].*[*].require_uppercase_characters anyFalse d6dadfcf-a98c-4917-97b5-a5df6a9c493d iam_account_password
medium AWS IAM password policy allows password reuse $.resource[*].aws_iam_account_password_policy[*].*[*].password_reuse_prevention == 0 c6921472-260e-460a-aa55-77e69e2ee0ba iam_account_password_policy
low AWS IAM policy attached to users $.resource[*].aws_iam_policy_attachment[*].*[*].users exists and $.resource[*].aws_iam_policy_attachment[*].*[*].users[*] is not empty 1903f355-b68f-4d9c-84dd-c46abe4f8673 iam_policy_attachment
medium GCP Kubernetes Engine Cluster Nodes have default Service accounts for project access $.resource[*].google_container_cluster[*].*[*].node_config anyNull or $.resource[*].google_container_cluster[*].*[*].node_config[*].service_account anyNull f125951d-f5c0-4ca6-aab2-d443485e04a1 k8s container cluster service account
medium AWS Customer Master Key (CMK) rotation is not enabled $.resource[*].aws_kms_key exists and ( $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyFalse or $.resource[*].aws_kms_key[*].*[*].enable_key_rotation anyNull) 497f7e2c-b702-47c7-9a07-f0f6404ac896 kms
low GCP Kubernetes Engine Clusters have Alias IP disabled $.resource[*].google_container_cluster exists and $.resource[*].google_container_cluster[*].*.*.ip_allocation_policy does not exist 33104909-45f5-4533-8b71-d54716dc7184 kubernetes engine
low GCP Kubernetes Engine Clusters have HTTP load balancing disabled $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.addons_config[*].http_load_balancing[*].disabled anyTrue) afb8ee15-96a4-4f32-83a5-c5f60c49de75 kubernetes engine
low GCP Kubernetes Engine Clusters not configured with private cluster $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.private_cluster_config anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyNull or $.resource[*].google_container_cluster.*[*].*.private_cluster_config[*].enable_private_nodes anyFalse) 33a04b8d-970b-43c3-b584-c704695178ed kubernetes engine
low GCP Kubernetes Engine Clusters not using container optimized OS for node image $.resource[*].google_container_node_pool exists and ($.resource[*].google_container_node_pool.*[*].*.node_config anyNull or $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type anyNull or not $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type allStartWith cos ) b80d079e-9db6-440e-a35a-64e53e47e6fc kubernetes engine
medium GCP Kubernetes Engine Clusters have Legacy Authorization enabled $.resource[*].google_container_cluster.*.*[*].enable_legacy_abac anyTrue 3a8dde2f-ee02-4d51-bcd1-b119c0207226 kubernetes engine
medium GCP Kubernetes Engine Clusters have Network policy disabled $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.network_policy anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyTrue) ca78ea0f-83ec-4401-9c33-300215ebe7b3 kubernetes engine
medium GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled $.resource[*].google_container_cluster exists and $.resource[*].google_container_cluster.*[*].*.addons_config[*].kubernetes_dashboard[*].disabled anyFalse 243d8c63-97cf-434a-b75e-2a84c57fdc37 kubernetes engine
medium GCP Kubernetes cluster Application-layer Secrets not encrypted $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster[*].*[*].database_encryption anyNull or $.resource[*].google_container_cluster[*].*[*].database_encryption[*].state any equal DECRYPTED) 7ece6176-027f-4cf7-885e-555d11786c27 kubernetes engine
medium GCP Kubernetes cluster istioConfig not enabled $.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.addons_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*] anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].istio_config[*].disabled anyTrue) 6afc115a-d9f9-45e8-9716-6a4204621074 kubernetes engine
medium GCP Kubernetes engine clusters have enabled basic authentication $.resource.*.google_container_cluster.*.*.*.master_auth exists and not ($.resource.*.google_container_cluster.*.*.*.master_auth.*.password is empty and $.resource.*.google_container_cluster.*.*.*.master_auth.*.username is empty) b6b3b461-767c-43f5-b608-b84e8c40fa88 kubernetes engine
high Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 ($.resource[*].azurerm_network_security_rule exists and ($.resource[*].azurerm_network_security_rule.*[*].*.access contains Allow and $.resource[*].azurerm_network_security_rule.*[*].*.destination_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.source_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.destination_port_range contains 22 and $.resource[*].azurerm_network_security_rule.*[*].*.direction contains Inbound)) 1eb0cd02-789a-4b96-8463-fb5583e40585 nsg
high AWS RDS snapshots are accessible to public $.resource[*].aws_db_instance exists and ($.resource[*].aws_db_instance[*].*[*].publicly_accessible !exists or $.resource[*].aws_db_instance[*].*[*].publicly_accessible anyTrue) 054e0760-d0e2-454a-8898-015e9e9fbc1a rds
medium AWS Redshift does not have require_ssl configured $.resource[*].aws_redshift_parameter_group exists and ($.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl')] !exists or $.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl' && @.value=='false' )] exists) 2ff03f80-c9f6-4a37-b8b1-1212965e352d redshift
high AWS S3 buckets are accessible to public $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read-write or $.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read) ded75b65-7ef6-4239-a08f-d4d9a4eb218b s3
medium AWS Access logging not enabled on S3 buckets $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket[*].*[*].logging anyNull) 41215510-c504-4752-ab38-0a36e49d55f8 s3
medium AWS S3 object versioning is disabled $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled does not exist or $.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled anyFalse) 1914c65c-2406-4261-88cd-fbeb684a15dc s3
high AWS Default Security Group does not restrict all traffic $.resource[*].aws_default_security_group exists and ($.resource[*].aws_default_security_group[*].*[*].ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].ingress[*].ipv6_cidr_blocks[*] contains ::/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].ipv6_cidr_blocks[*] contains ::/0) c8f6a525-e4ba-4499-b015-15153c797143 security group
high AWS Security Groups allow internet traffic from internet to RDP port (3389) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388)].ipv6_cidr_blocks[*] contains ::/0) 1796efe6-802d-4768-8c17-7491c560b686 security group
high AWS Security Groups allow internet traffic to SSH port (22) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].ipv6_cidr_blocks[*] contains ::/0) 9745cb18-32f9-4411-a59c-fae4ffa362ce security group
high AWS Security Groups with Inbound rule overly permissive to All Traffic ($.resource[*].aws_security_group exists and ($.resource[*].aws_security_group.*[*].*.ingress[*].protocol equals -1 and ($.resource[*].aws_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0))) or ($.resource[*].aws_security_group_rule exists and ($.resource[*].aws_security_group_rule.*[*].*.protocol equals -1 and $.resource[*].aws_security_group_rule.*[*].*.type equals ingress and ($.resource[*].aws_security_group_rule.*[*].*.cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group_rule.*[*].*.ipv6_cidr_blocks[*] contains ::/0))) eba4d571-4338-4f62-8110-9be6c4b47fd0 security group
medium GCP Storage log buckets have object versioning disabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.versioning anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyNull or $.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled anyFalse) 53a9b6e1-dd93-4110-b443-4658c13134b4 storage
medium Storage Accounts without Secure transfer enabled $.resource[*].azurerm_storage_account exists and ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyNull or $.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only anyFalse) 80f6dc01-4aaa-4712-a7bf-70e103fea4a3 storage
medium Storage Bucket does not have Access and Storage Logging enabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.logging anyNull or $.resource[*].google_storage_bucket.*[*].*.logging[*].log_bucket anyEmpty) 22df2129-f6bf-4a10-9118-42b8d5d922a9 storage
medium AWS VPC allows unauthorized peering $.resource[*].aws_vpc_peering_connection[*].*[*].peer_vpc_id does not equal $.resource[*].aws_vpc_peering_connection[*].*[*].vpc_id 59356130-d856-470d-a08e-b2a0ba2a4ac7 vpc

CloudFormation policies

Severity Policy Rule ID Resource Type
medium AWS Customer Master Key (CMK) rotation is not enabled $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation any null or $.Resources.*[?(@.Type=='AWS::KMS::Key')].Properties.EnableKeyRotation anyFalse 6ae8d0a5-4794-438c-aafa-200f94b45f1f AWS Customer Master Key (CMK)
medium AWS CloudTrail is not enabled in all regions $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any null or $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail anyFalse c1ad39ed-5341-43cb-8266-4d93a2033d75 AWS cloudtrail
medium AWS security group allows traffic from blocked ports $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '22' && @.ToPort == '22' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '22' && @.ToPort == '22' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '21' && @.ToPort == '21' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '21' && @.ToPort == '21' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5800' && @.ToPort == '5800' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5800' && @.ToPort == '5800' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5900' && @.ToPort == '5900' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '5900' && @.ToPort == '5900' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '2323' && @.ToPort == '2323' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '2323' && @.ToPort == '2323' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '23' && @.ToPort == '23' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '23' && @.ToPort == '23' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '25' && @.ToPort == '25' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '25' && @.ToPort == '25' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '110' && @.ToPort == '110' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '110' && @.ToPort == '110' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '143' && @.ToPort == '143' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '143' && @.ToPort == '143' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == '-1' && @.FromPort == '53' && @.ToPort == '53' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '53' && @.ToPort == '53' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'udp' && @.FromPort == '135' && @.ToPort == '135' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '135' && @.ToPort == '135' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == '-1' && @.FromPort == '137' && @.ToPort == '137' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '137' && @.ToPort == '137' && @.CidrIp6 == '::/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'udp' && @.FromPort == '69' && @.ToPort == '69' && @.CidrIp == '0.0.0.0/0')] size greater than 0 or $.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties.SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '69' && @.ToPort == '69' && @.CidrIp6 == '::/0')] size greater than 0 b95c4df5-7881-4dda-85ea-fb8c83600d03 AWS security group ingress ports
medium AWS IAM policy attached to users $.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users exists and $.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users[*] is not empty c441b20b-5daf-4862-b383-798b61c72819 AWS_IAM_policy
medium AWS CloudTrail logs are not encrypted using Customer Master Keys $.Resources.*[?(@.Type == 'AWS::CloudTrail::Trail')] size > 0 and ($.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyNull or $.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyEmpty ) 7d618dd9-e061-4e14-bc7b-812c0394bbef cloudtrail
medium AWS VPC subnets should not allow automatic public IP assignment $.Resources.*[?(@.Type == 'AWS::EC2::Subnet')].Properties.MapPublicIpOnLaunch anyTrue 11743cd3-35e4-4639-91e1-bc87b52d4cf5 ec2
high AWS ECS task definition elevated privileges enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Privileged any equal true 38026e84-451b-4290-a008-562eeb36212a ecs
low AWS ECS task definition readonlyRootFilesystem not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any equal false 0f4959be-5d2d-41cf-aa45-08bb4c13121f ecs
medium AWS ECS task definition logging not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration.LogDriver any null 404b49c0-ad7e-41a7-94ae-587901872524 ecs
medium AWS ECS task definition resource limits not set $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any equal 0 or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any null and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any null) or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any equal 0 and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any equal 0) 44a82298-64d1-4b4b-a9ad-eeda02448975 ecs
medium AWS ElasticSearch cluster not in a VPC $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions any null or ($.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists and $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions.SubnetIds any null) 3b745764-1d47-4adf-a023-18b95dcd713e elasticsearch
high AWS RDS instance is not encrypted $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any equal false 34fa9efb-d18f-41e4-b93f-2f7e5378752c rds
high AWS RDS snapshots are accessible to public $.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')] exists and $.Resources.*[?(@.Type == 'AWS::RDS::DBInstance')].Properties.PubliclyAccessible anyTrue d68f9185-422e-42d3-b673-b1aef528012c rds
low AWS RDS instance with copy tags to snapshots disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any equal false 8a910436-344a-4bd9-9359-239a3ca13b99 rds
low AWS RDS instance without Automatic Backup setting $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.BackupRetentionPeriod any equal 0 f81d0239-3633-4828-a499-d2d1b1219a5c rds
medium AWS RDS instance with Multi-Availability Zone disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.MultiAZ any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.MultiAZ any false f606fe0b-2950-42ce-a3b2-7f100ece5c3a rds
high AWS Redshift instances are not encrypted $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted any null or $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.Encrypted anyFalse 0132bbb2-c733-4c36-9c5d-c58967c7d1a6 redshift
medium AWS Redshift clusters should not be publicly accessible $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.PubliclyAccessible any true d65fd313-1c5c-42a1-98b2-a73bdeda19a6 redshift
medium AWS Redshift database does not have audit logging enabled $.Resources.*[?(@.Type=='AWS::Redshift::Cluster')].Properties.LoggingProperties any null 91c941aa-d110-4b33-9934-aadd86b1a4d9 redshift
high AWS S3 buckets are accessible to public ($.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicRead or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicReadWrite) bbb01285-7fc6-4649-85c0-6ab9f08bde4f s3
low AWS S3 buckets do not have server side encryption $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption any null or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm any null ff6a3231-bb09-4fba-82ea-46ee3228a9f2 s3
medium AWS Access logging not enabled on S3 buckets $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.LoggingConfiguration any null 4daa435b-fa46-457a-9359-6a4b4a43a442 s3
medium AWS S3 Object Versioning is disabled $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration does not exist or ($.Resources[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration exists and $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.VersioningConfiguration.Status contains Suspended) 8ec3f878-0f5e-4782-b4cd-98018b217be5 s3
medium AWS SNS subscription is not configured with HTTPS $.Resources.*[?(@.Type == 'AWS::SNS::Subscription')].Properties.Protocol contains http b53e5177-96e1-4999-a9c8-6400190910bb sns
medium AWS SQS queue encryption using default KMS key instead of CMK $.Resources.*[?(@.Type == 'AWS::SQS::Queue')].Properties.KmsMasterKeyId contains alias/aws/sqs 0a626f64-d911-4366-b7dc-629a6557d7b5 sqs