Prisma Public Cloud IaC Scan API (BETA)

Scan CloudFormation, Terraform, Kubernetes deployment YAML files for security issues.

Kubernetes app YAML policies

Severity Policy Rule ID Resource Type
high all capabilities should be dropped $.spec.template.spec.containers[*].securityContext.capabilities.drop exists and !contains all 4682a6f1-2a1b-4f5a-938c-cdd3fa421a63 k8s
high avoid running privileged containers $.spec.template.spec.containers[*].securityContext.privileged is true 92714c07-d12b-4635-ae6a-514c5c428c5a k8s
high containers must be run as non-root $.spec.template.spec.containers[*].securityContext.runAsNonRoot exists and is false 2e22737c-a5b8-4808-8a8b-d99fc7e99505 k8s
high do not run containers as root $.spec.template.spec.securityContext.runAsUser < 1 314eba46-a376-43f6-9a0a-8517818301f1 k8s
high do not share host network with containers $.spec.template.spec.hostNetwork is true 99544e17-fc8f-4c77-963e-083ab80c53b0 k8s
low do not allow volume claims to be read by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadOnlyMany 802f2ed9-0b0d-4627-bf1a-7cb0ccfdd71c k8s
medium do not allow sharing host IPC namespace $.spec.template.spec.hostIPC is true 344fb01c-7195-3e9f-47e1-c640733af43f k8s
medium do not allow sharing host PID namespace $.spec.template.spec.hostPID is true 4c5d00c1-8f60-40bc-9566-a5b4e019752a k8s
medium do not allow volume claims to be read-write by many nodes $.spec.volumeClaimTemplates[*].spec.accessModes == ReadWriteMany f9bcb4b8-3f22-448a-8521-9e09e3a994e0 k8s
medium do not run containers with dangerous capabilities $.spec.template.spec.containers[*].securityContext.capabilities exists and $.spec.template.spec.containers[*].securityContext.capabilities.add[*] is member of (FSETID, SETUID, SETGID,SYS_CHROOT,SYS_PTRACE,CHOWN,NET_RAW,NET_ADMIN,SYS_ADMIN,NET_BIND_SERVICE) 135420a6-3206-4c29-b944-846f65cea43e k8s
medium ensure containers are immutable $.spec.template.spec.containers[*].securityContext.readOnlyRootFilesystem exists and is false c448b01c-7f95-4e9f-97e1-c640733af44f k8s
medium entrypoint of the container must be run with a user with a high ID $.spec.template.spec.containers[*].securityContext.runAsUser < 9999 6e06b1a6-7eea-4730-91c2-9ac3fb676dce k8s

Terraform policies

Severity Policy Rule ID Resource Type
medium AWS VPC NACL allow egress traffic from blocked ports $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow de727ef6-60b0-46b9-a056-29830952c986 AWS NACL egress rules
medium AWS VPC NACL allows traffic from blocked ports $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].action==allow or $.resource[*].aws_network_acl.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].action==allow 1cc0ec13-4079-4e27-b597-9edf83a1cd93 AWS VPC NACL allow traffic
medium AWS security group allows traffic from blocked ports $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5800' && @.to_port == '5800')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '5900' && @.to_port == '5903')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '2323' && @.to_port == '2323')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '23' && @.to_port == '23')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '25' && @.to_port == '25')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '110' && @.to_port == '110')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '143' && @.to_port == '143')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '53' && @.to_port == '53')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 9731fe16-636f-477a-b083-6d90c66d2c0b AWS security group ingress ports
medium AWS security group allow egress traffic from blocked ports - 21,22,135,137-139,445,69 $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '21' && @.to_port == '21')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '445' && @.to_port == '445')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '135' && @.to_port == '135')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == '-1' && @.from_port == '137' && @.to_port == '139')].ipv6_cidr_blocks[*] == ::/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.egress[?(@.protocol == 'udp' && @.from_port == '69' && @.to_port == '69')].ipv6_cidr_blocks[*] == ::/0 2b47072f-0d2b-45a5-aa2d-1db80974176e Security Group egress traffic
medium AWS EC2 instance have SSH port open to internet $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] == 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] == ::/0 c2bcdbe7-7c2c-48bc-a0f7-37e1b9766385 Security Group ingress rule
medium AWS CloudTrail logs are not encrypted using Customer Master Keys $.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyNull or $.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyEmpty 07a06f60-1532-4e2e-b91c-8f972a96f1a9 cloudtrail
high AWS Kubernetes unsupported master node version $.resource[*].aws_eks_cluster[*].*[*].version starts with 1.9 60440266-3d03-41ce-ba8c-d51ccbdb6804 eks
medium AWS ElasticSearch cluster not in a VPC $.resource[*].aws_elasticsearch_domain exists and $.resource[*].aws_elasticsearch_domain[*].es[*].vpc_options does not exist 28ee2708-305a-4b23-acf0-535ab45b96ab elasticsearch
medium AWS IAM password policy does not expire in 90 days $.resource[*].aws_iam_account_password_policy[*].*[*].max_password_age greater than 90 cb4e7ef6-b4b4-45a5-9ae5-194d3a0e12e9 iam_account_password
medium AWS IAM password policy does not have a lowercase character $.resource[*].aws_iam_account_password_policy exists and $.resource[*].aws_iam_account_password_policy[*].*[*].require_lowercase_characters is false 77c2d5a8-071f-48b9-9de0-5917e9b4548d iam_account_password
medium AWS IAM password policy does not have a minimum of 14 characters $.resource[*].aws_iam_account_password_policy[*].*[*].minimum_password_length less than 14 7228106b-f82f-4d2e-a1a0-73fd15f70637 iam_account_password
medium AWS IAM password policy does not have a number $.resource[*].aws_iam_account_password_policy exists and $.resource[*].aws_iam_account_password_policy[*].*[*].require_numbers is false 41fdae49-6fc7-4bc9-80e4-2cbb2262ab7a iam_account_password
medium AWS IAM password policy does not have a symbol $.resource[*].aws_iam_account_password_policy exists and $.resource[*].aws_iam_account_password_policy[*].*[*].require_symbols is false f8013bbf-21b8-4e81-b6ef-7b568407129c iam_account_password
medium AWS IAM password policy does not have a uppercase character $.resource[*].aws_iam_account_password_policy exists and $.resource[*].aws_iam_account_password_policy[*].*[*].require_uppercase_characters is false d6dadfcf-a98c-4917-97b5-a5df6a9c493d iam_account_password
medium AWS Customer Master Key (CMK) rotation is not enabled $.resource[*].aws_kms_key[*].*[?(@.enable_key_rotation != 'true')] exists 497f7e2c-b702-47c7-9a07-f0f6404ac896 kms
high Azure Network Security Group (NSG) allows SSH traffic from internet on port 22 ($.resource[*].azurerm_network_security_rule exists and ($.resource[*].azurerm_network_security_rule.*[*].*.access contains Allow and $.resource[*].azurerm_network_security_rule.*[*].*.destination_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.source_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.destination_port_range contains 22 and $.resource[*].azurerm_network_security_rule.*[*].*.direction contains Inbound)) 1eb0cd02-789a-4b96-8463-fb5583e40585 nsg
medium AWS Redshift does not have require_ssl configured $.resource[*].aws_redshift_cluster exists and ($.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl')] !exists or $.resource[*].aws_redshift_parameter_group[*].*[*].parameter[?(@.name=='require_ssl')].value isFalse) 2ff03f80-c9f6-4a37-b8b1-1212965e352d redshift
high AWS S3 buckets are accessible to public $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.acl does not exist or ($.resource[*].aws_s3_bucket.*[*].*.acl equals public-read-write or $.resource[*].aws_s3_bucket.*[*].*.acl equals public-read)) ded75b65-7ef6-4239-a08f-d4d9a4eb218b s3
medium AWS S3 object versioning is disabled $.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.versioning does not exist or ($.resource[*].aws_s3_bucket.*[*].*.versioning exists and $.resource[*].aws_s3_bucket.*[*].*.versioning[*].enabled any equal false)) 1914c65c-2406-4261-88cd-fbeb684a15dc s3
high AWS Default Security Group does not restrict all traffic $.resource[*].aws_default_security_group exists and ($.resource[*].aws_default_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0 or $.resource[*].aws _default_security_group.*[*].*.egress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group.*[*].*.egress[*].ipv6_cidr_blocks[*] contains ::/0) c8f6a525-e4ba-4499-b015-15153c797143 security group
high AWS Security Groups allow internet traffic from internet to RDP port (3389) $.resource[*].aws_security_group[*].[*].[*].ingress[*].to_port == 3389 1796efe6-802d-4768-8c17-7491c560b686 security group
high AWS Security Groups allow internet traffic to SSH port (22) $.resource[*].aws_security_group exists and ($.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].ipv6_cidr_blocks[*] contains ::/0) 9745cb18-32f9-4411-a59c-fae4ffa362ce security group
high AWS Security Groups with Inbound rule overly permissive to All Traffic ($.resource[*].aws_security_group exists and ($.resource[*].aws_security_group.*[*].*.ingress[*].protocol equals -1 and ($.resource[*].aws_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0))) or ($.resource[*].aws_security_group_rule exists and ($.resource[*].aws_security_group_rule.*[*].*.protocol equals -1 and $.resource[*].aws_security_group_rule.*[*].*.type equals ingress and ($.resource[*].aws_security_group_rule.*[*].*.cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group_rule.*[*].*.ipv6_cidr_blocks[*] contains ::/0))) eba4d571-4338-4f62-8110-9be6c4b47fd0 security group
medium GCP Storage log buckets have object versioning disabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.versioning does not exist or $.resource[*].google_storage_bucket.*[*].*.versioning exists and ($.resource[*].google_storage_bucket.*[*].*.versioning[*].enabled any equal false)) 53a9b6e1-dd93-4110-b443-4658c13134b4 storage
medium Storage Accounts without Secure transfer enabled $.resource[*].azurerm_storage_account exists and ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only does not exist or ($.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only exists and $.resource[*].azurerm_storage_account.*[*].*.enable_https_traffic_only any equal false)) 80f6dc01-4aaa-4712-a7bf-70e103fea4a3 storage
medium Storage Bucket does not have Access and Storage Logging enabled $.resource[*].google_storage_bucket exists and ($.resource[*].google_storage_bucket.*[*].*.logging does not exist or $.resource[*].google_storage_bucket.*[*].*.logging[*].log_bucket is empty) 22df2129-f6bf-4a10-9118-42b8d5d922a9 storage
medium AWS VPC allows unauthorized peering $.resource[*].aws_vpc_peering_connection[*].*[*].peer_vpc_id does not equal $.resource[*].aws_vpc_peering_connection[*].*[*].vpc_id 59356130-d856-470d-a08e-b2a0ba2a4ac7 vpc

CloudFormation policies

Severity Policy Rule ID Resource Type
medium AWS CloudTrail is not enabled in all regions $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any null or $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any equal false c1ad39ed-5341-43cb-8266-4d93a2033d75 cloudtrail
medium AWS VPC subnets should not allow automatic public IP assignment $.Resources.[*].Type equals AWS::EC2::Subnet and ($.Resources.[*].Properties.MapPublicIpOnLaunch exists and $.Resources.[*].Properties.MapPublicIpOnLaunch is true) 11743cd3-35e4-4639-91e1-bc87b52d4cf5 ec2
high AWS ECS task definition elevated privileges enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Privileged any equal true 38026e84-451b-4290-a008-562eeb36212a ecs
low AWS ECS task definition readonlyRootFilesystem not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any equal false 0f4959be-5d2d-41cf-aa45-08bb4c13121f ecs
medium AWS ECS task definition logging not enabled $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].LogConfiguration.LogDriver any null 404b49c0-ad7e-41a7-94ae-587901872524 ecs
medium AWS ECS task definition resource limits not set $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any null 44a82298-64d1-4b4b-a9ad-eeda02448975 ecs
medium AWS Customer Master Key (CMK) rotation is not enabled $.Resources.[*].Type equals AWS::KMS::Key and ($.Resources.[*].Properties.EnableKeyRotation does not exist or $.Resources.[*].Properties.EnableKeyRotation is false) 497f7e2c-b702-47c7-9a07-f0f6404ac896 kms
high AWS RDS instance is not encrypted $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.StorageEncrypted any equal false 34fa9efb-d18f-41e4-b93f-2f7e5378752c rds
low AWS RDS instance with copy tags to snapshots disabled $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any null or $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.CopyTagsToSnapshot any equal false 8a910436-344a-4bd9-9359-239a3ca13b99 rds
low AWS RDS instance without Automatic Backup setting $.Resources.*[?(@.Type=='AWS::RDS::DBInstance')].Properties.BackupRetentionPeriod any null f81d0239-3633-4828-a499-d2d1b1219a5c rds
medium AWS RDS instance with Multi-Availability Zone disabled $.Resources.[*].Type equals AWS::RDS::DBInstance and ($.Resources.[*].Properties.MultiAZ does not exist or $.Resources.[*].Properties.MultiAZ is false) f606fe0b-2950-42ce-a3b2-7f100ece5c3a rds
high AWS Redshift instances are not encrypted $.Resources.[*].Type equals AWS::Redshift::Cluster and ($.Resources.[*].Properties.Encrypted does not exist or ($.Resources.[*].Properties.Encrypted exists and $.Resources.[*].Properties.Encrypted is false)) 0132bbb2-c733-4c36-9c5d-c58967c7d1a6 redshift
medium AWS Redshift clusters should not be publicly accessible $.Resources.[*].Type equals AWS::Redshift::Cluster and ($.Resources.[*].Properties.PubliclyAccessible exists and $.Resources.[*].Properties.PubliclyAccessible is true) d65fd313-1c5c-42a1-98b2-a73bdeda19a6 redshift
medium AWS Redshift database does not have audit logging enabled $.Resources.[*].Type equals AWS::Redshift::Cluster and ($.Resources.[*].Properties.LoggingProperties does not exist or $.Resources.[*].Properties.LoggingProperties is empty or $.Resources.[*].Properties.LoggingProperties.S3KeyPrefix does not exist or $.Resources.[*].Properties.LoggingProperties.S3KeyPrefix is empty) 91c941aa-d110-4b33-9934-aadd86b1a4d9 redshift
high AWS S3 buckets are accessible to public ($.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicRead or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicReadWrite) and $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.WebsiteConfiguration any null bbb01285-7fc6-4649-85c0-6ab9f08bde4f s3
low AWS S3 buckets do not have server side encryption $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption any null or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm any null ff6a3231-bb09-4fba-82ea-46ee3228a9f2 s3
medium AWS Access logging not enabled on S3 buckets $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.LoggingConfiguration any null 4daa435b-fa46-457a-9359-6a4b4a43a442 s3
medium AWS S3 Object Versioning is disabled $.Resources.[*].Type contains AWS::S3::Bucket and ($.Resources.[*].Properties.VersioningConfiguration does not exist or ($.Resources.[*].Properties.VersioningConfiguration exists and $.Resources.[*].Properties.VersioningConfiguration.Status does not equal Enabled)) 8ec3f878-0f5e-4782-b4cd-98018b217be5 s3
medium AWS SNS subscription is not configured with HTTPS $.Resources.[*].Type equals AWS::SNS::Subscription and ($.Resources.[*].Properties.Protocol exists and $.Resources.[*].Properties.Protocol equals http) b53e5177-96e1-4999-a9c8-6400190910bb sns
medium AWS SQS queue encryption using default KMS key instead of CMK $.Resources.[*].Type equals AWS::SQS::Queue and ($.Resources.[*].Properties.KmsMasterKeyId exists and $.Resources.[*].Properties.KmsMasterKeyId contains alias/aws/sqs) 0a626f64-d911-4366-b7dc-629a6557d7b5 sqs