Prisma Public Cloud IaC Scan API (BETA)

Scan CloudFormation, Terraform, Kubernetes deployment YAML files for security issues.

Kubernetes app yaml policies

Severity Policy Rule ID Resource Type
high 'all' capabilities should be dropped $.spec.template.spec.containers[*].securityContext.capabilities.drop exists and !contains all 4682a6f1-2a1b-4f5a-938c-cdd3fa421a63 k8s
high avoid running privileged containers $.spec.template.spec.containers[*].securityContext.privileged is true 92714c07-d12b-4635-ae6a-514c5c428c5a k8s
high containers must be run as non-root $.spec.template.spec.containers[*].securityContext.runAsNonRoot exists and is false 2e22737c-a5b8-4808-8a8b-d99fc7e99505 k8s
high do not run containers as root $.spec.template.spec.securityContext.runAsUser < 1 314eba46-a376-43f6-9a0a-8517818301f1 k8s
high do not share host network with containers $.spec.template.spec.hostNetwork is true 99544e17-fc8f-4c77-963e-083ab80c53b0 k8s
low do not allow volume claims to be read by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadOnlyMany 802f2ed9-0b0d-4627-bf1a-7cb0ccfdd71c k8s
medium do not allow sharing host IPC namespace $.spec.template.spec.hostIPC is true 344fb01c-7195-3e9f-47e1-c640733af43f k8s
medium do not allow sharing host PID namespace $.spec.template.spec.hostPID is true 4c5d00c1-8f60-40bc-9566-a5b4e019752a k8s
medium do not allow volume claims to be read-write by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadWriteMany f9bcb4b8-3f22-448a-8521-9e09e3a994e0 k8s
medium do not run containers with dangerous capabilities $.spec.template.spec.containers[*].securityContext.capabilities exists and $.spec.template.spec.containers[*].securityContext.capabilities.add[*] is member of (FSETID, SETUID, SETGID,SYS_CHROOT,SYS_PTRACE,CHOWN,NET_RAW,NET_ADMIN,SYS_ADMIN,NET_BIND_SERVICE) 135420a6-3206-4c29-b944-846f65cea43e k8s
medium ensure containers are immutable $.spec.template.spec.containers[*].securityContext.readOnlyRootFilesystem exists and is false c448b01c-7f95-4e9f-97e1-c640733af44f k8s
medium entrypoint of the container must be run with a user with a high ID $.spec.template.spec.containers[*].securityContext.runAsUser < 9999 6e06b1a6-7eea-4730-91c2-9ac3fb676dce k8s

Terraform policies

Severity Policy Rule ID Resource Type
high Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 ($.resource[*].azurerm_network_security_rule exists and ($.resource[*].azurerm_network_security_rule.*[*].*.access contains Allow and $.resource[*].azurerm_network_security_rule.*[*].*.destination_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.source_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.destination_port_range contains 22 and $.resource[*].azurerm_network_security_rule.*[*].*.direction contains Inbound)) 1eb0cd02-789a-4b96-8463-fb5583e40585 nsg
high AWS S3 buckets are accessible to public $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.acl does not exist or ($.resource[*].aws_s3_bucket.*[*].*.acl equals public-read-write or $.resource[*].aws_s3_bucket.*[*].*.acl equals public-read)) ded75b65-7ef6-4239-a08f-d4d9a4eb218b s3
medium AWS S3 object versioning is disabled $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.versioning does not exist or ($.resource[*].aws_s3_bucket.*[*].*.versioning exists and $.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled any equal false)) 1914c65c-2406-4261-88cd-fbeb684a15dc s3
high AWS Default Security Group does not restrict all traffic $.resource[*].aws_default_security_group exists and ($.resource[*].aws_default_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0 or $.resource[*].aws_default_security_group.*[*].*.egress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group.*[*].*.egress[*].ipv6_cidr_blocks[*] contains ::/0) c8f6a525-e4ba-4499-b015-15153c797143 security group
high AWS Security Groups with Inbound rule overly permissive to All Traffic ($.resource[*].aws_security_group exists and ($.resource[*].aws_security_group.*[*].*.ingress[*].protocol equals -1 and ($.resource[*].aws_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0))) or ($.resource[*].aws_security_group_rule exists and ($.resource[*].aws_security_group_rule.*[*].*.protocol equals -1 and $.resource[*].aws_security_group_rule.*[*].*.type equals ingress and ($.resource[*].aws_security_group_rule.*[*].*.cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group_rule.*[*].*.ipv6_cidr_blocks[*] contains ::/0))) eba4d571-4338-4f62-8110-9be6c4b47fd0 security group
medium GCP Storage log buckets have object versioning disabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.versioning does not exist or $.resource[*].google_storage_bucket.*[*].*.versioning exists and ($.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled any equal false)) 53a9b6e1-dd93-4110-b443-4658c13134b4 storage
medium Storage Accounts without Secure transfer enabled $.resource[*].azurerm_storage_account exists and ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only does not exist or ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only exists and $.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only any equal false)) 80f6dc01-4aaa-4712-a7bf-70e103fea4a3 storage
medium Storage Bucket does not have Access and Storage Logging enabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.logging does not exist or $.resource[*].google_storage_bucket.*[*].*.logging[*].log_bucket is empty) 22df2129-f6bf-4a10-9118-42b8d5d922a9 storage

CloudFormation policies

Severity Policy Rule ID Resource Type
medium AWS CloudTrail is not enabled in all regions $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any null or $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any equal false c1ad39ed-5341-43cb-8266-4d93a2033d75 cloudtrail
medium AWS VPC subnets should not allow automatic public IP assignment $.Resources.[*].Type equals AWS::EC2::Subnet and ($.Resources.[*].Properties.MapPublicIpOnLaunch exists and $.Resources.[*].Properties.MapPublicIpOnLaunch is true) 11743cd3-35e4-4639-91e1-bc87b52d4cf5 ec2
high AWS ECS task definition elevated privileges enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Privileged any equal true 38026e84-451b-4290-a008-562eeb36212a ecs
low AWS ECS task definition readonlyRootFilesystem not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any equal false 0f4959be-5d2d-41cf-aa45-08bb4c13121f ecs
medium AWS ECS task definition logging not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration.LogDriver any null 404b49c0-ad7e-41a7-94ae-587901872524 ecs
medium AWS ECS task definition resource limits not set $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any null 44a82298-64d1-4b4b-a9ad-eeda02448975 ecs
medium AWS Customer Master Key (CMK) rotation is not enabled $.Resources.[*].Type equals AWS::KMS::Key and ($.Resources.[*].Properties.EnableKeyRotation does not exist or $.Resources.[*].Properties.EnableKeyRotation is false) 497f7e2c-b702-47c7-9a07-f0f6404ac896 kms
high AWS RDS instance is not encrypted $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any equal false 34fa9efb-d18f-41e4-b93f-2f7e5378752c rds
low AWS RDS instance with copy tags to snapshots disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any equal false 8a910436-344a-4bd9-9359-239a3ca13b99 rds
low AWS RDS instance without Automatic Backup setting $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.BackupRetentionPeriod any null f81d0239-3633-4828-a499-d2d1b1219a5c rds
medium AWS RDS instance with Multi-Availability Zone disabled $.Resources.[*].Type equals AWS::RDS::DBInstance and ($.Resources.[*].Properties.MultiAZ does not exist or $.Resources.[*].Properties.MultiAZ is false) f606fe0b-2950-42ce-a3b2-7f100ece5c3a rds
high AWS Redshift instances are not encrypted $.Resources.[*].Type equals AWS::Redshift::Cluster and ($.Resources.[*].Properties.Encrypted does not exist or ($.Resources.[*].Properties.Encrypted exists and $.Resources.[*].Properties.Encrypted is false)) 0132bbb2-c733-4c36-9c5d-c58967c7d1a6 redshift
medium AWS Redshift clusters should not be publicly accessible $.Resources.[*].Type equals AWS::Redshift::Cluster and ($.Resources.[*].Properties.PubliclyAccessible exists and $.Resources.[*].Properties.PubliclyAccessible is true) d65fd313-1c5c-42a1-98b2-a73bdeda19a6 redshift
medium AWS Redshift database does not have audit logging enabled $.Resources.[*].Type equals AWS::Redshift::Cluster and ($.Resources.[*].Properties.LoggingProperties does not exist or $.Resources.[*].Properties.LoggingProperties is empty or $.Resources.[*].Properties.LoggingProperties.S3KeyPrefix does not exist or $.Resources.[*].Properties.LoggingProperties.S3KeyPrefix is empty) 91c941aa-d110-4b33-9934-aadd86b1a4d9 redshift
high AWS S3 buckets are accessible to public ($.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicRead or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicReadWrite) and $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.WebsiteConfiguration any null bbb01285-7fc6-4649-85c0-6ab9f08bde4f s3
low AWS S3 buckets do not have server side encryption $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption any null or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm any null ff6a3231-bb09-4fba-82ea-46ee3228a9f2 s3
medium AWS Access logging not enabled on S3 buckets $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.LoggingConfiguration any null 4daa435b-fa46-457a-9359-6a4b4a43a442 s3
medium AWS S3 Object Versioning is disabled $.Resources.[*].Type contains AWS::S3::Bucket and ($.Resources.[*].Properties.VersioningConfiguration does not exist or ($.Resources.[*].Properties.VersioningConfiguration exists and $.Resources.[*].Properties.VersioningConfiguration.Status does not equal Enabled)) 8ec3f878-0f5e-4782-b4cd-98018b217be5 s3
medium AWS SNS subscription is not configured with HTTPS $.Resources.[*].Type equals AWS::SNS::Subscription and ($.Resources.[*].Properties.Protocol exists and $.Resources.[*].Properties.Protocol equals http) b53e5177-96e1-4999-a9c8-6400190910bb sns
medium AWS SQS queue encryption using default KMS key instead of CMK $.Resources.[*].Type equals AWS::SQS::Queue and ($.Resources.[*].Properties.KmsMasterKeyId exists and $.Resources.[*].Properties.KmsMasterKeyId contains alias/aws/sqs) 0a626f64-d911-4366-b7dc-629a6557d7b5 sqs